Practical Internet Security for Journalists
(In 10 Minutes)
Andrew Lih
Assistant professor
Journalism and Media Studies Centre
University of Hong Kong

Foreign Correspondents Club – HK
March 2, 2006

This is a brief recap of the talk given in March 2006. It will be updated with links and more elaborate tutorials soon. -Andrew

Overview

* Motivations
* Three most practical tools
* Four secondary tools
* Two good practices

Motivations

* Foreign correspondents on the move
* Job needs – investigative journalism, protecting sources, privacy to work, confidential research, prevent blackmail
* Different countries/laws
* Don’t be at mercy of others
* Take matters into own hands…

Typical Scenario

* Journalist with laptop on assignment, plugs into hotel broadband/wireless to work. Risks:
* Password captured
* Email read
* Identity revealed, activity traced
* Laptop physical security, files accessed

Solutions

* Encryption
* Protect personal info
* Security practices
* Password discipline
* Account discipline

Tools

* Three practical steps
* Easy to use
* Free versions of all
* Can be put on USB memory stick

Tool 1 – TrueCrypt

* Makes new “disk” on Windows computer
* Completely encrypted, secure by password
* Store documents, notes, source lists
* AES encryption – 149 trillion years to crack a 128-bit AES key

TrueCrypt

* Country-specific laws
* http://www.truecrypt.org/

Tool 2 – Hushmail

* Web-based, all mail encrypted on disk
* Can send/receive encrypted email
* No personal info, no logs kept
* “Not even Hush can access the encryption keys of individual users”
* Free simple, US $29.99 for full account
* Targeted use

Hushmail

* Anonymous accounts
* Email notification
* http://www.hushmail.com/

Tool 3 – Torpark

* Combination of Firefox web browser and TOR anonymous router
* Easy to use, one-click access
* Conceals IP address, encrypted
* Works around content blocking/monitoring
* Uses The Onion Router – http://tor.eff.org/

Torpark

* http://www.freehaven.net/~arrakis/torpark.html
* May be slow to startup (20-30 seconds)

Practices

* Password discipline
* Email account discipline

Passwords

* Have three types on hand
Trivial (“buddha”)
* Nontrivial (“h@ppybuddh@”)
* Banking strength
(”6eijin9spring!1978″, like Beijing Spring)

Accounts

* Throwaway – Free services (spam collects, reminders, bogus name) junkbox168@yahoo.com
* General (Email, work, personal)
fred.wong@gmail.com
fred.wong@scmp.com
* Secure (Confidential sources, interaction)
fred.wong@hush.com

Internet access

* Home, cafes, wireless, hotels on the road
* Consider extremely insecure
* Who can contact your computer?
* Who can read what you’re doing?
* Passwords in the clear?

More steps (4-5)

* Google mail – https://mail.google.com/mail
- Note the “S” and must be that address!
- Entire session is encrypted
- Yahoo/Hotmail – crypted login, not session
* Firefox browser – http://www.mozilla.com/firefox/
- Clear all private data option
- Blocks malicious popups

More steps (6-7)

* Skype – http://www.skype.com
Secure instant messaging
Encrypted voice conversations
* VPN – http://publicvpn.com, http://www.hotspotvpn.com
Commercial virtual private network
Secures wireless access, hotel access, avoid filters
US $5.95 a month

Review

* If you remember nothing else today…
TrueCrypt
Hushmail
Torpark
Avoid Yahoo/Hotmail
* Put it on a USB memory drive
* Can use in Internet cafes
* http://www.andrewlih.com/securitytips

Retooled

Before

* Internet Explorer
* Yahoo/Hotmail
* Weak password
* Cleartext transmissions
* Documents on disk
* Instant messaging

After

* Mozilla Firefox
Google mail (https)
Hushmail
Strong passwords
VPN or secure email
TrueCrypt volume
Skype

Summary

* Don’t leave digital breadcrumbs
* Don’t let others decide your fate
* Still legal liability – subpoena, state secrets, etc. – but you control your destiny
* Secure email, transmission, disk storage
* Practical steps – encryption

Summary

* Security Tips for Journalists
* http://www.andrewlih.com/securitytips/

Contact
Andrew LIH
site – http://www.andrewlih.com
email – alih@andrewlih.com