Hacker News new | comments | ask | show | jobs | submit login
Basic Security Precautions for Non-Profits and Journalists (techsolidarity.org)
195 points by idlewords on Feb 11, 2017 | hide | past | web | favorite | 174 comments

Before you freak out about these recommendations, please take into account:

These instructions are written for unsophisticated users, particularly journalists and activists, and were written with feedback from those users. So, for instance, the steps you might take to arrive at a secure Firefox or Android configuration are probably fine, but not workable for the audience these instructions are intended for.

We're simultaneously working with the airport lawyer groups (there's a huge one at ORD). It's been jarring to realize how many compromises are required to make things workable for groups of non-experts to use. Just getting software installed is a major hassle, so anything you install or customize needs to be really worth the effort.

First, thank you so much for putting together this list (you say "we", so I assume you are part of it); a great first step. What was your role? Do you endorse this list now and going forward?

Second, whoever made this list should include names that endorse it. They must be names of people trusted by various communities: IT security community, journalists (e.g., NY Times), activists (e.g., EFF), etc. Otherwise, it's just another list of very many on the Internet; who knows how reliable it is?

> It's been jarring to realize how many compromises are required to make things workable for groups of non-experts to use.

Third, I am very familiar with this problem, and that assumes you can persuade them that there's sufficient risk to justify the effort. The only solution is for someone to create secure, foolproof, user-friendly and appealing software that is effortless to install and maintain. I know it's easy for me to say "someone", but I don't have the expertise and this project absolutely requires expertise; it can't be yet another hack claiming to be secure.

Fourth, that will create another problem: If that software becomes widely used it will become a very appealing target for extremely well-resourced attackers. I'm not sure of the solution to this problem; can software really be secured effectively against those attackers? Really, we need more than one secure option; or, what if most communication software was fundamentally secure? One step at a time.

> whoever made this list should include names that endorse it.

Clarifying to my own comment: I trust that it is authoritative, but people who don't read HN need to trust it.

Also, my whole comment is very much IMH - non-authoritative, - O.

It is time for journalism schools (of all sorts) to teach this stuff. Nobody should call themselves a journalist (or a lawyer) if they cannot communicate securely, if they cannot at least put up a good fight against the watchers.

What I'm missing here is a simple: Don't use a laptop or cellphone to store sensitive information in the first place (regardless of whether of not you take it across the border). That seems to be the simplest precaution of all.

Was that an option or was it assumed un-avoidable that people will always have a smart phone or laptop with sensitive info on them? (so it would have to be an iphone according to the article) whereas that is assuming the choice has already been made that you have to have a smartphone to begin with.

This is advice for busy, working people to whom you cannot say "rethink your entire workflow" or "don't have a phone".

The goal is to provide practical security advice that people will use, and that does not make things worse.

Ok, I got that. So here's a suggestion for a simple but very effective addendum:

- do not store on your laptop / cellphone what you no longer need

- make sure you protect your back-ups as well as you protect your originals

- don't type in credentials while under camera observation

What you're missing here is that the work these people do requires them to use computers and phones, and telling them to stop using them is like telling them to be 1/100th as effective as they would be otherwise.

This isn't "advice for refugees entering the country whose lives depend on getting past CBP".

Using a laptop or cellphone is not the same as storing sensitive info on them.

Yeah. The only reasonably secure option for Android requires you to own a Nexus device within the window Google pushes security updates regularly. Or you flash it yourself to keep it up to date regularly. And even that is kind of dicey unless its just Google apps + Signal + verifiable OSS.

What about a custom ROM (fork) of Android, sans Google apps? Not an option for typical end-users, of course.

Disabling Verified Boot and not having Google Play Services would dramatically reduce the security posture of an Android device.

Disclaimer: I work at Google.

> not having Google Play Services would dramatically reduce the security posture of an Android device.

I understand Verified Boot, but how would removing Google Play Services damage security? It would seem to reduce the attack surface.

For one, without Google Play Services you have no Play Store. Unless you're going to prevent users from installing apps entirely, there isn't really another safe way to obtain apps. Additionally Verify Apps, SafetyNet, Safe Browsing, etc. are all part of Google Play Services. You _really_ want Verify Apps.

F-Droid, Raccoon, MicroG?

F-Droid and Racoon are ways to obtain apps. MicroG is an alternative to Google Play Services. How do these solve the other issues the commenter mentioned? Does MicroG include "Verify Apps, SafetyNet, Safe Browsing, etc."?

Excellent points; thanks.

you can keep verified boot on custom roms. play services expose you to googles nsa'd taps we'll hear about in 5y.

source: im another google engineer


How do you propose a custom rom can establish hardware root of trust without being signed by the device manufacturer?

I believe the point is that such a signature is useless since the software signed as safe is actually unsafe, while a self-signed rom at least has a chance to be safe.

this reminds me of when team-teso had their stuff on their website directly accessible over https.. so they used a self-signed cert, so that no govt or corporation could require a MITM with a valid signed cert from any trusted CA.

Probably as long as it was patched for security updates but tbpfh, trusting a random stranger on the internet for security advice is likely unwise.

If you can't use your phone number for password recovery or SMS to your phone number as the 2FA, what do you use instead?

The best-practices 2FA stack is:

* U2F token (primary method)

* TOTP via phone app (backup)

* Backup keys printed or on encrypted USB, in a safe.

* SMS disabled explicitly.

TOTP fallback doesn't reduce security meaningfully, because U2F principally protects against phishing. But SMS fallback is devastating to security.


Presumably a security key. A Yubikey or something like it.

you don't lose your 2fa. thats it. all other options are unsafe

What about not using public wifi hotspots?

I wouldn't, but the instructions here assume the network itself is compromised, so I'm not sure we gain much security by adding another scary-sounding technical requirement.

It's unfortunate that this guide is not presented in two columns, at least partially. It's hard to line up the Don't's with Do's.

For example in the Don't section it says "[Don't] Store sensitive information in cloud services like Evernote or Dropbox." Ok, but where is the corresponding entry in the "Do" section, which tells folks how to store sensitive information? Especially in a way that permits more than one person to access and use the information, which is key to how both journalists and activists work?

There might not be a "good" answer. But recognizing that people have to work, there is probably a sense of "better" or "best for now". Maybe that's the format:

    Don't                      | Better
    Don't use your fingerprint | Use a long passphrase 
    to lock/unlock devices     | to lock your devices.

EDIT: This guide is very helpful and kudos to the folks to made it. I offer my thoughts solely in the spirit of "maybe this feedback will be helpful." My intention is not to sit on the sidelines throwing rocks at people who are actually doing things.

Thanks for the helpful suggestion! I'll try formatting it this way, too.

Can someone explain the reasoning behind these recommendations?

Don't :

> Use your fingerprint to lock/unlock devices.

> Use an Android phone.

> Take the devices you work on across the US border.

Anyone has experience with their devices being searched at the border? Do they just look at your social media and let you go or do they somehow copy the data on the devices or install any software on the devices? Will the persons devices always be in visibility or do the CBP officers handle them in separate rooms?

Assuming I have to carry my laptop and phone across the border, what precautions can I take to minimize the potential privacy violations? After crossing the border, do I just reinstall my OS of choice (Ubuntu) from scratch and reset all passwords?

Regarding the browser recommendation, why is Firefox not recommended? It's used in the Tor browser and I have not heard of any major security incident recently with Firefox.

> Use your fingerprint to lock/unlock devices.

Fingerprints have a different and weaker legal standard than passwords to protect them

> Use an Android phone.

It may be possible to get a secure Android phone, however, it is unlikely that the one you have is. Varying levels of quality for disk crypto and TPM key storage will do you in.

> Take the devices you work on across the US border

Any data or passwords you have on you is data you could lose, get forced to cough up, etc.

> Assuming I have to carry my laptop and phone across the border, what precautions can I take to minimize the potential privacy violations?

Put an encrypted blob on [name a cloud provider]. Download it once you cross through customs.

> why is Firefox not recommended?

Because Firefox has no sandbox and gets routinely exploited by Law Enforcement

> It's used in the Tor browser

The Tor Browser is an abomination.

> I have not heard of any major security incident recently with Firefox.

You have not been paying attention. Maybe consider accepting the advice of experts?

> You have not been paying attention. Maybe consider accepting the advice of experts?

It would be great to have a few of these issues sourced in the comment (and your comments on the Tor Browser expanded with some reasoning) just so everyone is on the same page. I've seen some exploits with Tor Browser but I thought they'd be mostly sorted out.

I get that Chrome has some more mature sandboxing code, but I must admit I'm not a fan of how it handles a lot of things including download behaviour (http://security.stackexchange.com/q/145808 and https://scarybeastsecurity.blogspot.co.uk/2016/11/0day-poc-r...), Firefox at least does a better job here.

I agree with the advice for border passage, only thing that makes this difficult is the state of upload speeds.

It would be great to get detailed citations from experts on any thread, but we can't always get what we want.

Adding: the Tor Browser might be the least safe browser to use of all available browsers that can be installed on modern computers. It is a perfect storm of "inferior security design" and "maximized adversarial value per exploit dollar spent".

Don't use Tor Browser.

Why exactly?

The comment I just wrote says why, succinctly. It helps if you understand the economics of browser exploit development, and then remind yourself that TBB collapses a whole set of valuable targets down to a single release chain.

Does make sense. Any advice on best way to access the Tor network, if not the Tor Browser?

The TOR network is a network: you can access it using any web browser and the TOR client + a local web proxy. Use Chrome and configure it to use the local web proxy, now you're accessing TOR using Chrome.

@munin can you clarify is "TOR client" the same as "TOR Browser" downloaded here[1] or is it something different?

Do you have any links you can share to best practices for setting up this secure TOR client instead of using the insecure TBB as explained above?

[1] https://www.torproject.org/download/download-easy.html.en

The Tor client is the software which runs the 'onion routing' part. This provides a local network port which is your wormhole into the network; this is called a SOCKS proxy.

The TBB has the Tor client and a browser (a slightly tweaked Firefox) configured to connect via the Tor SOCKS proxy rather than via the standard network.

I was disappointed last time I booted up TBB to see they had security by default set to 'Low', which enabled lots of unnecessary stuff, like javascript on for every site by default. Too many content parsers trying to do stuff with untrusted data. Its pretty poor.

And what about TAILS? It has a separated/modified Tor Browser. If I frequent a certain site and LE knows that I know I can be exploited, but what if I'm an activist who puts the TAILS USB in his notebook, boot from it, then publish an article on medium.com with a freshly created account. Will LE be able to exploit me?

> You have not been paying attention. Maybe consider accepting the advice of experts?

Nothing on the article's website suggests an affiliation or particular interest with security issues. This kind of patronising tone directed at people asking for help is the single most unpleasant part of the IT security industry.

thegrugq recently had a post about travel kits https://twitter.com/thegrugq/status/829855684636274688

It's not just the US border, any border they can request you open up social media accounts or walk away with your laptop or phone and return it later filled with spyware. Business trips from here to China always involve buying a new phone and wiping/selling it on Craigslist after you return assuming it's been compromised.

Seems like a travel guide could be useful for journalists, I'd imagine most people don't even think about something like a travel kit.

> wiping/selling it on Craigslist after you return assuming it's been compromised.

Seems like if you assume a phone is compromised, it would be immoral to sell it to someone else without full disclosure of your concerns.

What can I subscribe to, to hear about news like that in a more systematic fashion? I mean, monitoring all CVEs might be a little to much for somebody who isn't full time security professional, but there surely must be some reasonable compromise between that and position like "this browser is secure because tptacek said so".

I don't mean anything against tptacek personally, but without any substantial grounding this is as good as believing Keith Alexander/Michael Rogers/Vladimir Putin/Osama bin Laden/coin toss. In fact, coin toss might be the most secure of all, as I surely know it doesn't try to fool me on purpose.

Refresh the HN front page all day long, like I do.

US-CERT publishes alerts on vulnerabilities affecting common software. Several RSS feeds available. They also have weekly vulnerability summaries for a wide range of software.



Border patrol cannot force you to divulge a PIN or password. They can force you to apply your fingerprint.

Look elsewhere in this thread for "why not use an Android device."

Don't carry your work devices across the US border because they may be taken, can be taken out of your view, and may be duplicated (and yeah, you should have FDE on your computers etc., but don't take the chance).

The US border patrol cannot force you to give up your password.

But other countries (including Canada) can.


They might not be able to force that on US citizens, who have an absolute right both to habeas and to enter the country. They can force it on nonresident aliens.

>I have not heard of any major security incident recently with Firefox.

There's a reason that pwn2own (the hacking competition) has much higher bounties for finding Chrome vulnerabilities than finding Firefox vulnerabilities - http://blog.trendmicro.com/pwn2own-returns-for-2017-to-celeb...

Chrome has more robust exploit mitigations and its separated architecture is more mature than Firefox's.

It's sort of sad and wonderful that the best we can do is an iPad when it comes to secure computing. It's awesome that something you can buy most anywhere for < $500 USD is pretty secure. It's also sad that it's the best we can do, and there is only 1 manufacturer of such a device. We desperately need better privacy and security, both from a legal and a technical point of view.

Just a bit of feedback: might be nice to repeat the "Don't" in front of each sentence, even if it's grouped under the heading and therefore repetitive: I found myself being like "wait, it's telling me to backup my messages to google drive? Are they client-side encrypted?"

Yes, I read the article through Readability and it actually stripped out the Do and Don't headers

Thank you both! I'll fix this.

"Use a bluetooth keyboard for easier typing..."

Not a good advice for any public place (airports, cafes, etc). Very easy to listen to BT and intercept passwords as user types them in.

> Not a good advice for any public place (airports, cafes, etc). Very easy to listen to BT and intercept passwords as user types them in.

It's worth the risk to get people to use a iPhone or iPad more routinely. Also, the risk of this is exceedingly low because an attacker needs to actively interfere with the pairing process and be physically present for collection. This attack doesn't scale like "It's Windows, go pull the hard drive and read everything on it." I've never heard of LE using active BT attacks and I keep up on these things.

I don't know about LE but SDR is pretty cheap these days. How many people won't re-pair if its not working?

Things I'll never make quite time to play with: http://www.nsaplayset.org/tinyalamo

Here[0] is a link to a talk about wireless keyboard sniffing, including BT keyboards and their hardware/software solution for sniffing.

Specifically around BT keyboards they say this on one of their slides:

* Sniffing is possible but kind of “unstable”

* All pre-requirements for a successful PIN cracking can only be sniffed during pairing

* Complex documentation

So overall, not awful, but not fabulous either. Luckily most BT keyboards are severely limited in range (~ 30 feet max).

This is all from 2010, but is the latest source(s) I can find.

[0] http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_...

Is there a documented attack on say, Apple's Magic Keyboard?

(if it is true that some (relatively modern) bluetooth keyboards are sniffable and some aren't, I'm sure you can convince them to amend the article with specific models that are believed to be better)

Search for a presentation from Ruxcon 2016, I don't recall the researchers names but they presented attacks on various keyboards including ones with AES support.

That's a talk about wireless keyboards in general, not Bluetooth. There are attacks on Bluetooth keyboards as well, but they're logistically complicated. See 'dguido's comment for more.

Time to call in the Guardian for an expose on Bluetooth keyboard security.

I'd second adding recommendations for specific models. There are a lot of BT keyboards on the market of varying quality.

(I don't in any way own this document).

I acknowledge that the situation with Bluetooth peripherals is complicated† and accept that there are probably a bunch of vendors that are unsafe to use. It might be reasonable to simply require Apple peripherals --- not because they're the best, but because Apple is more accountable to peripherals security than most other vendors are.

On the other hand, what we can't reasonably do is create a Bluetooth Keyboard Product Guide in a simple set of security recommendations. Not only will it not be effective, but it will discourage the audience, who will fall back to their previous insecure configurations.

So I'd ask to what extent we think Bluetooth sniffing attacks on journalists are a spy movie threat. No matter what device they use, simply by using a wireless device as an input, they're exposing those inputs to timing as well. But then, as well, Apple's software update could be targeted too.

The basic idea behind the "use a Bluetooth keyboard recommendation" is, I presume, to convince people who would otherwise use computers to do sensitive work to instead use an iDevice. That's a very sound security principle; those iDevices are far more secure than the median fully-functional computer.

If I had to pick between telling a journalist to use a random Bluetooth keyboard with an iPad, or use a Macbook or Thinkpad, I would have a hard time deciding, but I think I'd ultimately go with the random Bluetooth keyboard --- there are too many different ways the computer can be undetectably (to a typical user) owned up, and only one fairly elaborate scenario where the BT keyboard will screw them.

What I'm learning from working with at-risk normal users is that a lot of security steps we all take for granted are simply not on the table for the people who need security the most.

Way more complicated than the people claiming "Bluetooth keyboards are trivially sniffable" are letting on

I completely agree with your ranking/preference and your logic here, but I don't think listing a bunch of models nor even listing your ranking is beyond the comprehension or ability of journalists, lawyers, or activists. I think we differ in how much faith we have in the abilities of those groups of people.

In my experience, people, especially people with budgets like most mainstream journalists and lawyers, want a list of specific things, best of all SKUs, they can buy that will give them the most security.

I don't think they're incapable of following advice; I think they have a lot of competing demands on their time. Any bullet on this list needs to earn its place, and the list itself needs to work without requiring constant updates, because most people who use the list will only see a single snapshot of it in time.

> I don't think listing a bunch of models nor even listing your ranking is beyond the comprehension or ability of journalists, lawyers, or activists.

IME this greatly overestimates how hard this is for typical end users.

Imagine if you were asked to understand and implement a technical legal function. Maybe you could do it, but it would not be trivial, you'd have to figure out what the heck it meant and what was going on, and then try to implement it. You would need to hope you received good advice, because you have no way of discerning good from bad, and that the instructions were accurate, clear and complete.

At HN we are inside a bubble where these thing are trivial. As another analogy, appendectomies may be trivial for surgeons but incredibly difficult for me.

A sneaky way to suggest them would be to mention some that are comfortable to type on.

You need to think about the risks/threat model. If you have an attacker close enough to capture Bluetooth, it would be not a stretch to intercept keyboard input from a cable.

There are keyboards that force AES-128 and don't fall back IIRC microsoft makes some.

A USB keyboard is almost certainly easier to secure though.

Would be helpful to provide alternative to some of the Don'ts.

How does one transfer information if they can't transfer anything across the border?

Where should one store sensitive information? An encrypted drive you're not supposed to transfer across the border?

I'm not really sure what a person is supposed to do with either of those two recommendations, especially if we're saying that person is not tech-savvy. I think these will just be ignored because they don't seem very viable and require a lot of background knowledge and planning.

Also, why is Chrome preferred to Firefox? I generally assume Chrome is listened to by Google across the board, and it still lacks something like NoScript. Chrome doesn't seem to do block XSS well, either.

Similarly, why Gmail as opposed to, I don't know, something like Protonmail or the like? Safety behind big company, reliability, viability?

Why Chromebook and not just a normal Linux?

The inherent trust in Google in this list confuses me.

And 1password over KeyPass. It seems every cloud-based password manager has been hacked in a round robin fashion, but I guess this solves the other cloud based problem.

1. To transfer information across the border, create an encrypted volume, store it on a cloud provider, and download it when you return. Unfortunately, it's more complicated to do this than it should be, so people hoping to do it need individualized instruction. Also, particularly for refugees, there are legal implications to doing this. Ultimately, the simplest recommendation is: don't bring information across the border at all. Go without.

2. Because Chrome is significantly more secure than Firefox. See: rest of thread.

3. Because no email provider is truly safe, and Google's mail service is better defended than virtually any other mail provider. Things like Protonmail are security gimmicks. If you're concerned enough about messaging safety to use some idiosyncratic email provider, you're concerned enough to stop using email for secrets altogether: use Signal, WhatsApp, or Wire.

4. Because a Chromebook is safer for a typical user than Linux, and also because there's a (remote) chance that people might actually use a Chromebook. The security challenges of 2017 are not an opportunity to finally achieve Linux On The Desktop.

5. The list's most contentious recommendation is a rebuke to Google.

6. Standalone 1Password isn't a cloud-based password manager. People should avoid cloud-based password managers.

I also have my doubts about 1Password – although I am still a 1Password users, at least of the old approach (pay once, cloud sync but no web-accessible storage with 1Password). I guess I will have to look for an alternative sooner or later! :(

I use 1Password + Resilio (formerly BTSync) in local sync only mode.

It's kind of a pain in the ass sometimes (I can only sync at home) but the upside is no cloud component and it syncs nicely and automatically between multiple machines.

For mobile devices, I use the Wifi sync mode.

Great list, I'm glad the crew in the comment threads put it together. 2 observations:

* These lists are often made but are never kept up to date as recommendations change. Will this list be any different?

* Use Gmail? We can't pick some other web based, 2FA capable non-US hosted service that doesn't specifically use machines to scan your content for ad serves? This recommendation was the only one that furrowed my brow.

A weakness in the way these guidelines are worded is that it's not clear enough how much security experts discourage people from using email. Email is the single largest risk most at-risk people have, and not just because only 2 email providers have a team capable of securing their infrastructure or because the protocol is weak, but also because of existing collection capabilities and because of its "archive-by-default" design.

Yes: if you are using email at all, you should use Google's email service. Virtually every concern you'll state about using Google Mail is better articulated as a concern about using email at all (especially because 90% of the people lawyers and activists communicate with also use Google Mail).

If you want, instead, to militate against using email at all, I'll agree and also tell you that I expect this guide will get clearer about that.

Why g-mail instead of a more security focused provider like proton-mail? It seems to me like the only downside of proton-mail is that it is less well-known, but I'd compare it to signal vs whatsapp. And you can get journalists to use signal.

Only other thing I can think of is google being more secure by virtue of being bigger.

There was a thread a few days ago talking about Google security looking at how protect against compromised shared GPUs. (https://cloudplatform.googleblog.com/2017/02/fuzzing-PCI-Exp...)

How many organizations globally are doing research like that?

It is, in fact, more secure because is bigger. But that's not the only reason. See also: rest of thread.

Great to hear the guide will continue to evolve!

Given Google's standing policy of requiring a search warrant for access to user confidential data, as detailed in their Transparency Report[0], my reading is that law enforcement needs to go to the same legal effort to access your data-at-rest stored with Google as they would if it were stored offline in your own house. (And results in the same level of notification to you, modulo NSLs, which are a practical worry for some groups but not others.)

[0]: https://www.google.com/transparencyreport/userdatarequests/l...

> Google's standing policy

Google can change or ignore its policy at any time, without telling you. Depending on your level of risk, you might not want your security to depend on someone else's goodwill, especially someone for who has very many, much larger concerns than you.

Will Google forgo massive government contracts to protect you? Risk expensive lawsuits? What if you are politically unpopular; will Google risk its reputation for you?

My guess is it's because Google's security team is top notch and happy to share their threat intel with their users and that's much more relevant to journalists than using a non-US based service or one that avoids content based ad serving.

Except support is nonexistent, so if anything happens to your gmail access you're screwed there's nobody to contact. I would think any non profit who relies on emails for fundraising/networking would want a paid service like FastMail or other paid service with 2FA

Only in the alternate timeline where customer support and nerd optics are more important than platform security, which nobody other than Google does better.

Until you get locked out of your account of course, for a number of reasons such as heavy use that triggers an arbitrary lockout and there's nobody to contact. Somebody might also wish to purposely DoS your account with incorrect logins for a number of reasons too, like hiding a money transfer notification or just to screw with you.

So pay for G-Suite, the support is excellent. Non-profits can get it for free.

This should be updated to not just specify the US border. It should say any international border with border control.

In Canada you can be put in prison for 1 year if you don't give up your password at the border.

While I'm sure you are referring to the Alain Philippon case, your facts are wrong.

Firstly, the CBSA action was never tested in court. Failure to divulge information hasn't been defined as 'hindering' before. The case would probably have to go to the Supreme Court of Canada for it to be decided.

Secondly, even at the border you can choose to remain silent.

See linked page for advice from actual lawyers.

The most likely worst outcome is you get refused entry if you are not Canadian.


I'm a bit confused about the don't backup to Google Drive but use Gmail.

are you trusting google or not?

Mobile messaging, using an end-to-end encrypted system like WhatsApp or Signal, is the most secure way to communicate. Even the service provider cannot access the plaintext content of delivered messages. They exist in plaintext only at the end points (individual phones).

But if you store the content of those messages with a cloud provider--regardless of which company--you have killed a lot of security value. The plaintext will sit there, just waiting for someone to go get it, and you'll never know if they do.

Email does not work that way. Even if it is encrypted in transit, it is always stored in plaintext in servers at either end. So, taking that into account, which email service provider has the best security team to defend that plaintext. This guide argues it is Google.

There's virtually nothing in security that works this way. It's not the NFL. We don't pick teams and root for them. There are things that Google does that are superior to the alternatives, and there are things Apple does that are superior to the alternatives.

I understand and I agree with your point, however to me Gmail and google drive both fall into one bucket, Google's cloud offering. If any thing I would assume Drive is safer since it isnt forced to interact with an old unsecure protocol. They have full control of how it's implemented.

I pretty much follow most of these guidelines already, however I do use the Firefox browser and I wasn't aware it was so inseucre compared to Chrome. Is there a nice guide on hardening Firefox security or am I out of luck because of the sandbox situation?

FF does have a sandbox w/some versions https://wiki.mozilla.org/Security/Sandbox#Current_Status

Or try Firejail https://firejail.wordpress.com/ (Linux) or possibly Sandboxie on Windows https://www.sandboxie.com/

Great initiative.

>1. Don't send any sensitive information by email.

>2. Don't store sensitive information in cloud services like Evernote or Dropbox.

Both of these are good advice.

However, what I don't see is "how to share information securely". The intended audience surely needs a way to exchange information, e.g. documents but what are the recommendations on how they should do this?

>Carry a “USB data blocker” (either the whole cable or an adapter that plugs into your cable like this) to charge at airport or hotel chargers.

I would suggest that SyncStop[1][2] is recommended instead of the current device on the basis that SyncStop is created and sold by a security company that specialises in hardware security. It is also recommended by Mikko[3] from fsecure.

[1] http://syncstop.com/

[2] https://www.amazon.com/Syncstop-Syncstop/dp/B00ZQAY23U

[3] https://twitter.com/mikko/status/792980858340769792

So... Use Google services on a modern iDevice and don't use the fingerprint scanner and you're good?

The contrast with Snowdens recommendations is quite stark: https://theintercept.com/2015/11/12/edward-snowden-explains-...

Is iPhone actually fine replacement for Android in terms of security? I never owned an iPhone, but I was guessing that it is closed-source proprietary piece of hardware with closed-source proprietary piece of software running, which is perfectly able to be transferring all your data to the vendor and most likely does exactly that.

Security professionals tend to care about open source over closed source much less than many other factors.

Things that seem more important^:

- Well known and vetted data structures/algorithms etc

- Vulnerability history

- Large install base

- well regarded, well funded security team vetting the project

- capacity and history of fighting expensive legal battles on behalf of its users.

Its possible that there are android phones that meet these criteria but there are many that do not. The iphone on the other hand does. So rather than having very specific android phone recommendations its generally easier to just say use iPhone. So much so that most of the security professionals I've talked to view it as the most secure, commonly available computing platform period.

^Not a security professional, but I drink with a couple.

I see. I think there might be some distinction in regards of what different people view as "secure". Say, your phone produced by my company may be completely transparent to me and completely impenetrable to, say, tptacek. As I understand, in that narrative it is considered secure as you (the user) are supposed to trust me (the manufacturer). That's why iPhone is considered secure in comparison to Android, which is similarly backdoored, but in addition more penetrable to tptacek (the 3rd party).


No. Closed source binaries are not impenetrable to researchers. For a security audit you have to study the binary in any case so open source is a bonus not a requirement.

I didn't imply otherwise. I'm just wondering how it is iPhone is considered secure when it is happily sharing your data with Apple. Or doesn't it?

It's only sharing stuff with Apple if you allow it.

I've had to provide secured smartphones to an organization, and unfortunately they needed to use Android devices for a specific mission critical application.

iPhones are easy to setup and hard to fuck up. You use DEP and it arrives from the factory with a signed profile for your organization. You deliver it to the user, they sign in, and the MDM takes it from there.

With Android, forget it. They were at the time using LUKS for FDE, and there's no segmentation in the OS. So you need need a third party container solution (either from Samsung or another vendor) to protect your data. So you need a pre-boot password, device passcode, a container password, and possibly more. It's a real shitshow.

Apple lets you take the same level of control that a company would have for free with the Configurator app as well.

Android is so bad that iPhone is probably better, despite all those issues.

The real glaring issue here is that we don't really have good, safe services or devices available to us, especially if you want to stay plugged in (have access to the internet, social media, and necessary tools). Pretty much everything is owned by a corporation or compromised or both.

I'm not really convinced that much is gained by using one browser or phone over another at the end of the day. If someone really wants your information, and you're connected to the world, they'll figure out how to get it.

That's my point. I don't understand how is this recommendation any useful, if I'm not missing anything.

Maybe there is a better security guide for a bit more technical people? With why's and how's, explaining what are the real issues and causes of some practice being bad, and what are the possible solutions to it. Why is Android bad? Is it solved by stripping out google services? How do you do it properly? Is it solved by replacing an Android phone with iPhone? Etc. Without any of "jumping into the snake-pit is so bad, that jumping straight into the fire is probably better". Probably better, huh.

One thing to think about is the cost of exploits. [1]

It could be the case that iPhone users are more high value targets. IMHO It's more likely iPhone exploits are just harder to come by. (not impossible, just tougher)

[1] https://arstechnica.com/security/2016/09/1-5-million-bounty-...

> Use Chrome as your browser

This one breaks my heart a little.

I mean, I get it, I understand why it's there. But it still breaks my heart.

Agreed. Luckily Sandboxing, which is pretty much the big feature that sells Chrome for Security will get to FF, it will just take a bit longer. Plus with FF going crazy for Rust, I think FF has a bright future security wise.

An all-Rust browser would make a big difference. Sandboxing is good, but won't close the gap with Chromium, which just invests too much money into software security to lose much ground to other browsers.

Agreed for the most part. There is Servo[0] which is Mozilla's playground for a Rust Browser. It's not really usable for day-to-day browsing, but it's a neat proof of concept. They are actively moving stuff from it into FF, and FF now requires rust to build. Google definitely cares a lot about security. It's great to see them embrace U2F so heavily, that even Chrome supports it out of the box. I'm not sure FF will ever become Rust-only, but if it did, it would take quite a while I think.

[0] https://servo.org/

Is Edge + the new Windows Application Guard similar in protection?

So, no Android phones is not very pragmatic... Any justifications?

(Especially without saying to use only FOSS OS)

The security situation on Android is, full-stop, a tire fire. Be it the existence (at all) of external storage that badly-considered applications happily write sensitive stuff to (and for a journalist, your photos are sensitive) to the general mess that is Android application permissions (even in newer versions) to the slapdash, inconsistent way that updates get pushed to devices. It's all bad, and if you care about security, you should not use Android, no exceptions.

As it happens, I use an Android phone as a daily driver. But I'm not a journalist and I'm not handling data that isn't sensitive to anyone but myself. I'm willing to take that risk (edit: and I'm able to, to a level I'm comfortable with, mitigate those risks, which a non-technical person probably can't evaluate safely, to say nothing of implement). But I'm not a journalist whose sources may depend on me.

I agree it's overly broad statement without justification, but it's not entirely unfounded either. iOS's extreme walled garden does protect you from many things that Android doesn't. As another commenter mentioned, security permissions are a mess, malware is a real thing, and the power and versatility of Android leaves you very vulnerable if you're in a high risk profession who must keep secrets safe.

Very few of the items in here have justifications listed, because that's not productive for the intended audience. They don't want to know "why" any more than most patients want to know "why" their doctor prescribes one antibiotic versus another.

Even if your intended audience doesn't care about the why, you must necessarily provide justification so that another audience, which would want to make sure that you're not selling snake oil, could verify your why. Knowledge sharing only really works when there's a vetting process on some level.

No, that's not how it works. The guide itself doesn't need to be bulletproofed against zany accusations that the authors are selling snake oil; there are other ways to accomplish that without crudding the recommendations themselves up with verbiage to placate angry nerds.

I didn't say anything about bulletproofed, just explained. Right now, there's no explanation, and I'm asking for some justification, how are you getting "bulletproofing" from that?

I didn't say the authors are selling snake oil. But if a person doesn't know much about a subject, they may not be able to tell, and they should be suspicious. They might want to see a review or criticism of it. They might want to verify that it's well intentioned, especially on a sensitive subject such as this. There's nothing zany about that, it's common sense.

If I find some information source that presents itself as an arbiter of truth, but has no justification for its points, I cannot in good faith recommend it to anyone.

The only angry one here seems to be you, with many unnecessarily rude responses that do not at all inspire confidence.

Again: the audience for these instructions isn't asking for explanations or justifications. If you have a concern with any of these instructions, write a comment detailing it, and someone will respond.

> you must necessarily provide justification so that another audience, which would want to make sure that you're not selling snake oil, could verify your why

Much of the audience that has the expertise to effectively verify the wisdom of the advice in such a document will have already encountered the views it contains and will be familiar with the reasoning behind those views already. None of the guidance in the article is likely to be something they're hearing for the first time. Even if they disagree with something in the article in whole or in part, they already know why the people who compiled the article likely believe it.

It is good for there to be more detailed explanations for interested non-experts, and there have been a number of more detailed explanations of many of these items elsewhere on the internet. But for most people it's more important to know that, for example, a recent iPhone is their best choice for a secure phone than it is to know the details of why experts on the topic have come to that conclusion, just like it's more important for most people to take a flu vaccine each year than it is for them to understand the process by which that vaccines was formulated.

I agree with you completely, I chose the wording I did to not further anger the Android faithful.

Questions and suggestions:

1. For "Do as much of your work as possible on an iPhone or iPad." -- as opposed to what? Android and Windows? Would listing device options be a possibility?

2. Possibly: add a set of suggestions for transporting device(s) across borders or acquiring them. I suspect mail or package delivery might be an option -- or if it's not, then clarifying the risks would be of interest.

3. Operating systems: A list of most to least secure might also be handy. E.g., WinCE, Windows, MacOS, iOS, Linux, TAILS, etc. Some indication of where "good enough" starts to apply.

4. Out-of-scope for document to include a full set of terms and definitions, but a glossary with links to additional reading might be of interest.

5. Providing "why" links might also be useful. E.g., Fingerprints (can be forced to divulge, fewer legal protections than passwords).

6. Formatting: A bulleted list would be slightly easier to read. A numbered list can be specifically referenced (e.g., "'Don't' #4 ...").

7. Define terms. E.g., "Long password" "At least 20 characters, 200 if possible", say. Tips on passphrase generation (e.g., xkcd passphrases, "correct battery horse staple".

Finally: thank you for setting this up.

1. As opposed to a laptop.

2. Any concrete advice about crossing borders is hard to give right now. The goal in this document is just to alert people that it is not OK to travel with your work device.

3. For the audience here (think someone providing legal aid at an airport) this is too technical.

4,5,6 Great idea, thank you!

7. It's funny but the XKCD really seems to be the best thing to link.


1. Windows laptop, I take it? Or any laptop?

2. Even if specifics are hard to provide, a pointer to best information, a clear statement that "Any concrete advice about crossing borders is hard to give right now" (in fact that exact phrase strikes me as excellent), and perhaps a pointer to a larger document with laws pertaining to specific countries. Ranked, say, by interest and/or travel volume. World Bank has listings: http://data.worldbank.org/indicator/ST.INT.ARVL?year_high_de...

3. Even people providing legal aid may have support teams who could assimilate the information. Out-of-document link here. Think staged information delivery.

7. It's an effective format for communciation. There are several generators (caveat emptor) as well. For MacOS, it would be easy to create a local generator using wordlists (I've done same on Linux). The problem is actually that the system dictionaries are generally too comprehensive and have really obscure words in them. A GUI wrapper around a Very Simple Shell Script would tend to give good outputs.

> If you are going to use email, use Gmail, with a physical security key on your laptop and Google Authenticator on your phone.

I understand Google runs a tight ship security-wise, but what about the unintentional information leakage that occurs because they read all your mail to serve you ads?

If you're using email to communicate with humans, you are using Gmail since your counterparty is almost always using Gmail. Gmail and their ad scanning is unavoidable in practice when using email so your only real recourse is to use a different communication protocol.

Gmail is reasonably secure in situations that actually occur frequently. No other providers are. But even Gmail is optimized for adoption and monitization over security, so it's security efforts only go so far, particularly when interacting with other email providers.

> Use a password manager and have it generate random passwords for every site you use. A good password manager is 1password.

Be aware, that on Google's Android every app in the background has access to the clipboard. And Google refuses to fix that. It is fixed in CopperheadOS afaik.

> If you are going to use email, use Gmail, with ...

Is Gmail really the most secure email provider? I am sure it is not for non US citizens. But is it for US citizens. Don't you have better?

It would probably behoove someone to sell these laptops, iPads, and iPhones to journalists, lawyers, and other folks with these configurations. It's a lot easier to give them a pre-configured locked down device that they can't mess with than it is to ask them to actually buy a Yubikey.

It won't work for everyone - Slate's CMS is notorious for only working in Firefox, for example - but if Pro Publica is going to hire 30 journalists, then be their vendor.

Wouldn't this provide a great targt for spies and security services? I mean, maybe I'm being stupid here, but if I was in charge of the NSA and knew that people with sensitive information were buying this gear from a certain vendor, said vendor would be right at the top of the target list.

I don't think I'd be able to trust any individual or company selling 'secure devices' for journalists and activists.

That's a smart idea. But these instructions are also being given to immigration lawyers and to Muslim rights activists, both of whom have very limited budgets, so vendor isn't a great place to start.

Hey everyone. Apologies for the blatant plug but seeing as we are talking about security precautions for non-profits and journalists, it's probably relevant...

We build a tool specifically to help non-profits and journalists learn about and manage their digital and physical security on the move. It's called Umbrella App. It's free, open source, on Android and contains tons of lessons on privacy related issues like digital and physical security. Umbrella has everything from how to do basic stuff like communicate with basic tools like Signal to sending a secure email with PGP. However, the unique bit is we also have stuff on the physical side, like how to plan travel, cross borders, set-up a secure physical meeting, deal with detecting surveillance, covering a protest, respond to a kidnapping etc. Basically we have tried to make it a bit of a one-stop-shop for security for regular people, activists, refugees and journalists. We also pull security feeds from places like the UN, Centres for Disease Control etc - which is obviously very important to folks in places like Syria or affected by Zika/Ebola.

There’s tons of really relevant stuff in it, especially for those now mobilising for the first time on some issues. Loads of people are writing guides that solve small parts of the puzzle but we have tried to provide the whole picture in the one place.

Google Play Store: https://play.google.com/store/apps/details?id=org.secfirst.u...

Amazon App Store: https://www.amazon.com/Security-First-Umbrella-made-easy/dp/...

F-Droid Repo: https://secfirst.org/fdroid/repo

Github Repo: https://github.com/securityfirst

Code Audit: https://secfirst.org/blog.html

Hope some folks here find it useful/interesting!

Ends blatant plug

Please get this vetted by real security people. The fact that you mention PGP suggests to me you haven't.

How can a standard guide to installing and using PGP through various different methods be a security issue?

Because people should not be using PGP for secure messaging.

PGP isn't user friendly, but from the Snowden leaks we learned it is one of the few encryption standards the NSA hasn't been able to break. TLS and most configs of VPN protocols were shown to be easily compromised. PGP was basically shown to be a show stopper.

1. http://m.spiegel.de/international/germany/a-1010361.html

Agreed. It has many problems but it's still one of the only games in town.

> TLS and most configs of VPN protocols were shown to be easily compromised.

This is a major claim to be making, and it is false. It is not helpful to spread misinformation like this.

Easily was, perhaps, not the correct adverb, but the linked article above as well as this one below go into it more. It does not appear to be false.


Bruce Schneier has said while large government actors may be able to exploit it, it's still recommended: https://www.theguardian.com/world/2013/sep/05/nsa-how-to-rem...

Perhaps older versions of SSL, but there is no evidence that anyone has compromised TLS.

There is evidence that encrypted traffic was stored and research was done on the metadata of these connections but that is no surprise. That may be what they were referring to.

Also, threat models are important here...not everyone includes needs to include the five eyes as your threat model.

Of course. I am just using it as a yardstick for security strength.

I really think you're vastly exaggerating the difficulty of using PGP properly. With Enigmail and a small sheet of instructions, anyone slightly computer literate should do fine.

And there simply aren't any better alternatives for encrypting emails or files for transmission. I'd love to be wrong about that, but I haven't seen anything.

Agree, that's why we have it in. Even things like Mailvelope, can make it easier for a semi-technical user.

On what grounds? on what threat models? on what attacks? what alternatives?

Also, why using fingerprint to unlock devices is not recommended?

US law enforcement is allowed to take fingerprints, which can then be used to unlock the device. Somewhere less friendly may just compel you to put your finger on the device

Is it that different from making you enter your password? I don't see any real issue here if it's the only problem.

Your password is, in a weird US Constitutional sense, speech, and your 5th Amendment right not to be forced to self-incriminate protects you. Your fingerprint is not speech, and not protected in the same fashion.

(Once more for the folks in the back: fingerprints are usernames. Passwords are things you can rotate.)

I see. Thanks. The first one seems relevant only for people in the USA, but inability to change fingerprints is something, I guess.

Most other countries probably feel similarly, or they don't have anything like the 5th amendment. In places without something like the 5th amendment, you can choose to lie about your password, do it enough times, the device will reset and erase everything(assuming you set that up). One can not lie about their fingerprints.

Of course in places without something like the 5th, and you lie a few times, your death may find you quite quickly, there is at the very least an option... With a fingerprint, no options. Have a picture of your finger and game over.

I don't trust fingerprint unlocks. The recent incident where a child bypassed security using the finger of her sleeping mother was proof enough for me.

The 5th amendment protects your from being compelled to provide incriminating information.

Your fingerprint is an attribute of you and has no such protection.

I prefer to use a live version of ubuntu on a flash drive on a laptop with no hard drive in it. A separate sd card, or thumb drive with an entire encrypted file partition. Writing in plain text only.


As far as Android goes: who's auditing CopperheadOS? What white hats are looking at it and trying to compromise it so that it can be improved? What's their rep, what's their record, and how do they stack up against iOS's internal and external security tests?

As far as "ur own pgp enigmal with riseup" goes: how are you going to get people to email you? Are you, a journalist, going to manage SPF/DKIM and make sure you're doing it right? How are you going to manage antispam? Gmail is not perfect--but unless the totality of your threat model includes getting black-bagged because an NSL found encrypted emails in your inbox, it is probably the best option. (Protonmail is fine too, but increases friction--and increased friction increases the likelihood that you're not going to use it, falling back to easier tools.)

WhatsApp: either that or Signal are fine (and, indeed, run the same protocol!). XMPP relies largely on federation, which relies on federated servers not being compromised, so no, that's out. (I haven't looked at Silence, can't speak to it.)

Chromebooks are a decent option for some use cases, unless (as more and more journalists tend to do) you need something that can easily and effectively edit audio and video. Tails/Whonix/especially-Qubes are not because people need their stuff to actually work and to not spend more of their time fighting their computer than doing their jobs; to that end, a properly patched OS X is a pretty reasonable call.

"Getting real here" means finding a workable place on the do-your-job/security curve, and most of what you're saying is not. For example, of course you would "use social media", because that's a large part of the job of a journalist in 2017. Your recommendations, while (I assume) in good faith, indicate a willingness to invest more time in fighting your stuff than doing your job. Nobody else cares. Recommend what's easy and what gets 95% of the way there (and not, as with something like CopperheadOS, actually detracts).

> Avoid installing spurious, unknown or unnecessary extensions.

This is wrong. You absolutely must use an ad blocker or noscript extension if you intend to browse the web securely.

The guide doesn't say not to install an ad blocker, but I dispute that claim nonetheless. Ad blockers are fine, and probably add marginally to security, but I don't think they a necessity --- if you're using Chrome/Chromium.

If I was using Firefox or IE, I would agree with you. But step one here is not to be using un-hardened browsers.

I generally make an exception for HTTPS Everywhere and Google Password Alert when I wrote things like this, but I agree that maybe it's worth it to cut them and simplify the guide.



HTTPS Everywhere would be a win (I'd have to think about whether it's enough of one to earn its place on the list, but if you added it, you could also suggest an ad-blocker --- another issue there though is suggesting ad blockers to journalists gets to a tricky place).

GPA is great, but the premise behind this guide is that if you're relying on passwords for Google you're already boned. It's a security win even with TOTP enabled, but I don't think it's enough to earn a spot.

These guidelines are being distributed to activists and journalists along with free U2F keys, for whatever that's worth.

> HTTPS Everywhere would be a win

IME, it breaks too many sites to give to all end-users; if the default configuration omitted sites listed as 'Partial'; maybe it would be passable. Maybe have a subcategory for intermediate users and put it there. Novice-level users (for lack of a better term) have no idea why the website is not working, and thus don't even know to consider disabling HTTPS Everywhere.

Also, it makes the user easier to identify.

At some point there was a fake uBlock Origin in the Chrome Web Store and it ranked even higher than the original (afaik). Since then I'm a bit wary recommending browser extensions.

Not so much wrong as missing a line to install a script blocker that's neither spurious, unknown nor unnecessary. In general, the warning against extension is good.

Consider the meanings of "must use", "spurious", "unknown" and "unnecessary".

While iOS devices are generally more secure, its been proven that Apple has been a part of the various NSA programs (X-Keyscore, PRISM, etc).

Chromebooks are made by Google, who is also a known partner ni these programs.

It all comes down to who you trust, and recommending that Journalists use iOS Devices and Chromebooks made by Apple and Google who are known snoopers is a bad bet if the thing you're trying to avoid is the US Government.

Also, bluetooth keyboards are trivial to listen in on. Not a great recommendation.

This article is short but bogus.

The people these notes are targeted at are not going to use whatever the vanity "secure" non-Google-infected non-Apple-infected non-Microsoft-infected options you'll have in mind. It's not going to happen. If you want to write a separate set of recommendations for people who spend their lives on Tor, that's fine. These recommendations have to work for people who are barely willing to install software, let along switch to idiosyncratic hardware.

Step 1: Wear a wig and dark sunglasses and buy a laptop (with cash while you still can) from a Walmart as far away from where you live as possible and never, never connect it to a network.

Step 2: The rest is easy.

Edit: You guys need to get a sense of humor

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact