The Register: 4 Ways the Guardian Could Have Protected Snowden

Frosty Piss writes with this excerpt from The Register: "The Guardian's editor-in-chief Alan Rusbridger fears journalists – and, by extension, everyone – will be reduced to using pen and paper to avoid prying American and British spooks online. And his reporters must fly around the world to hold face-to-face meetings with sources ('Not good for the environment, but increasingly the only way to operate') because they believe all their internet and phone chatter will be eavesdropped on by the NSA and GCHQ. 'It would be highly unadvisable for any journalist to regard any electronic means of communication as safe,' he wrote. El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper's carbon footprint, by suggesting some handy tips – most of them based on the NSA's own guidance."

Wait -- *their* guidance?

"most of them based on the NSA's own guidance"

Should you take guidance from people who have been proven to lie?

Re:Wait -- *their* guidance?

[Mr.+Slippery]

Should you take guidance from people who have been proven to lie?

The NSA is a deeply schizophrenic organization. On one side you have people seeking to defend and secure Americans' computer systems and networks against crackers, foreign spies, and the like. They'll propose BS like key escrow, but they're actually fairly honest: they know if there is a backdoor they can use, their adversaries can use it too.

On the other hand you have people seeking to break into computer systems and networks, including those of Americans. They oughta be first against the wall when the revolution comes.

spoiler alert

[noh8rz10]

here are the four things, pulled from the article:

1. Encryption: It's not hard
* Keep your private key secret, encrypted and in one place (eg, not a police interrogation room)
* Meet the Advanced Encryption Standard

2. Use clean machines

3. How to shift the data securely

4. Using hidden services

What if...

[MRe_nl]

When secret police come with secret orders based on secret laws signed by a secret court we secretly dispose of their bodies?

Dump data into a darknet

[Adult+film+producer]

The Freenet network is still alive and is very useful for this kind of thing.

https://freenetproject.org/

Not sure what author of article is going for

[VinylRecords]

1.) Encryption: It's not hard

Shouldn't really be a factor now that Snowden is known publicly. When Snowden was trying to escape the U.S. it was necessary for him to be paranoid and secretive. Now he's already given a full copy of all of his information to Greenwald in person. Snowden was protected well by his news contacts. They had him reveal himself to the world on his own time and not have his name leak before he wanted it to leak. He was safe when it mattered. The Guardian did an acceptable job getting Snowden to safety.

2.) Use clean machines

Extremely difficult. The US has deals with phone companies, operating system creators, and hardware manufacturers, to put backdoor systems into so many devices. They monitor so many email and phone companies. How can you be fully sure you didn't buy a machine that has a secret backdoor entry that the FBI or CIA can get into easily? How can you know that your PC isn't already set up for intercepts on all of your activity? You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored. And being passively monitored like how the NSA just copies everything sent anywhere.

3.) How to shift the data securely

The governments of the world can potentially intercept ANYTHING. Phone calls, emails, text messages, picture messages, faxes, voices through a hidden microphone, credit card transactions, smoke signals, bank statements, parabolic intercepts. Nothing is truly secure in this day and age. A reporter can use a courier by land or plane and that person can be held in a cell for nine hours while being interrogated. But an in-person intercept is known to both parties. A phone intercept is tough to fully know about unless you have an inside source telling you "your personal phones and prepaid phones are all tracked". Thanks to Snowden I now assume that EVERYTHING is tracked by the government.

4.) Using hidden services

The government is cracking down on those. Lavabit could not stop the government. Why would any other black site or anonymous exchange be able to stop the government? The government can stop billion dollar companies from operating overnight. Like a small email or messaging company can withstand the onslaught of a multi-national cyber-military operation?

Re:Not sure what author of article is going for

[dgatwood]

2.) Use clean machines

Extremely difficult. The US has deals with phone companies, operating system creators, and hardware manufacturers, to put backdoor systems into so many devices. They monitor so many email and phone companies. How can you be fully sure you didn't buy a machine that has a secret backdoor entry that the FBI or CIA can get into easily? How can you know that your PC isn't already set up for intercepts on all of your activity? You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored. And being passively monitored like how the NSA just copies everything sent anywhere.

Not difficult at all. It's called an air gap. You buy a laptop specifically for the purpose of decrypting the messages. You set it up without connecting it to the Internet. You generate your private-public key pair on this machine and use a flash drive to manually copy the public key to a different machine so that you can provide it to whoever needs it. When you receive a message, you copy that to a flash drive, then copy it to the other machine, then extract it.

Ideally, the private key should also be stored on a (different) USB key that you carry with you, to reduce the risk of physical theft by (hopefully) ensuring that the key and the encrypted data are never in the same place except when you are decrypting that data. If you are really paranoid, you can split the key into pieces so that multiple key dongles held by separate people must be stolen or confiscated before encryption is compromised.

This is how high-security data handling works everywhere. If intercepting it could mean the end of (the|your) world, you build an air gap, and you ensure that the computers on the inside of that gap are never connected to the public Internet in any way, shape or form. And when you're done with the machine, you destroy its hard drive in accordance with DoD manual 5200.01.

Of course, this ignores TEMPEST/Van Eck phreaking; chances are, you aren't that important, but if you are, you should also take precautions to physically secure your air gap room against any EM emissions from the computer in question.

And as always, Keep Calm and Carry a Towel.

Re:Not sure what author of article is going for

[Dan+East]

2.) Use clean machines

Extremely difficult. The US has deals with phone companies, operating system creators, and hardware manufacturers, to put backdoor systems into so many devices. They monitor so many email and phone companies. How can you be fully sure you didn't buy a machine that has a secret backdoor entry that the FBI or CIA can get into easily? How can you know that your PC isn't already set up for intercepts on all of your activity? You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored. And being passively monitored like how the NSA just copies everything sent anywhere.

I call BS on this one. "You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored." No, you don't. It only takes ONE expert to find that Dell, HP, Microsoft, Apple, OSX, Windows, Linux, has all these supposed backdoors to blow the whistle. While we have cases where various cloud / online services have been forced to turn over information, none of what you're claiming has been reported with hardware and OS vendors.

You're missing one important thing in your paranoia. Existing networks still have to be utilized to transfer this data. If every home PC had such a backdoor, then they still would have to use the internet connection to transmit that data. And yes, there are experts that do watch for this kind of thing, and keep an eye on what their machines are connecting to and why. Unless you're also positing the conspiracy theory that every machine has some totally secret wireless communication built in that talks to some government ghost network that no one has discovered either.

Yes, the NSA is reaching way too far, but even so you've got your tin foil hat way too tight.

Re:Not sure what author of article is going for

[Dunbal]

You are assuming that when you tell your computer to turn off the WiFi, the WiFi stays off. Now if cell phones that are "off" can record the conversations of mobsters without them knowing it, what makes you trust your computer all of a sudden? It would have to be an "air gap" somewhere in the countryside away from any wifi signal...

Snowden didn't want protection

Snowden and the reporters he communicated with did use encryption and other means to preserve secrecy while he was initially doing the leaks. But once it became front-page news, he wanted the publicity, and he told them to go public.

Encryption IS unfortuately too hard

[sjbe]

Encryption: It's not hard

Yes it is. It fails the mom test badly. More properly it is key management that is too difficult. The actual key generation can be automated mostly. Distribution and use of keys is inherently difficult with no obviously easy solution.

Re:Encryption IS unfortuately too hard

[Immerman]

But there's no reason it has to be. The newspaper could easily create/bundle a basic application that runs of a flash drive to handle all the encryption/decryption, tor tunneling, etc. The stripped down version:

The informant-to-be downloads and launches the "Guardmail Program" for the first time
- Personal public and private keys are generated silently and stored in a data file alongside the program
- User writes an email and adds attachments as per normal
- User provides destination address and public encryption key + CRC code available on The Guardian's contact page
- CRC code is checked to ensure that there are no typos in the encryption key (is this normal? It should be if not)
- email, attachments, and P.S.ed personal public encryption key are encrypted
- Resulting data-file is then sent to the destination via whatever origin-obscuring pathways they decide to integrate.

- Later the program is run again and told to "check mail" - it goes to whatever anonymized dropbox is being used, via whatever hidden pathway, and looks for messages directed to the User
- Any messages are downloaded and decrypted. Attachments can be decrypted and saved just as you would from a webmail site

From the users perspective all they did was fire up a special "magic" email program that lets them send things much more secretly, from an interface that looks essentially like any webmail frontend, but the data never sits anywhere unencrypted unless attachments are "saved" (exported) from Guardmail. Does such a program truly not already exist? If so, the why the $#@! not? Sure it's a bit limited and inflexible, but it would put reasonably secure communication in the hands of anyone who had a need for it, no technological knowledge required.

Re:Encryption IS unfortuately too hard

[newbie_fantod]

It fails the mom test badly.

Yes, but any moms who are editors of respected international journalistic institutions are probably smart enough to understand and use encryption.

The NSA would like to thank you very much

[hyades1]

From TFA:

"El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper's carbon footprint, by suggesting some handy tips â" most of them based on the NSA's own guidance".

Since the NSA gets a lot more information from metadata than from the message itself, I imagine they'd be delighted to have journalists encrypting everything important (lazy buggers that they are, they probably wouldn't bother with anything that wasn't).

By jumping through all the hoops in the NSA guidelines, you just sorted yourself into a tiny minority that has something to hide. You can guarantee you'll have spooks from every spy agency in the free world tracking where you go, who you talk to, who THEY talk to and what all of you do all day, where you keep your money, where you spend it, and who makes your morning coffee when the wife's out of town.

And laughing. You just KNOW they'll be laughing.

Re:The NSA would like to thank you very much

[TapeCutter]

Personally I think El-Reg may be experiencing some professional jealousy. The patronising tone paints the Guardian reporters as political ideologues in trouble, but the fact is that investigative journalism is hard and expensive, and the Guardian are world leaders in the art.

Re:MacOS secure!!!!

[Dunbal]

No, even then you can't guarantee it. There was an article by Dennis Ritchie (yes, one of the co-authors of the C language) that pretty much proved how there could already be back doors in compilers which are slipping in back doors to executable files without anyone knowing it. You can't stop with reading the source code. You would actually have to go through the machine code, line by line.

Re:MacOS secure!!!!

[cybersquid]

I was about to post this!
Here's a link to the article: The Ken Thompson Hack

5. First Amendment

[globaljustin]

TFA (& everyone else it seems) misses a key option: release anonymously using US First Amendment protection.

The US has **the most journalistic freedom in the world**

Accept it...in fact, the Guardian is working with NY Times to release future Snowden info *precisely* because the US has the 1st Amendment. From The Guardian's editor:

Journalists in America are protected by the first amendment which guarantees free speech and in practice prevents the state seeking pre-publication injunctions or "prior restraint"

Not only that, in the US, journalists may use **anonymous sources**...they risk their reputation and job, and it has to be cleared by their editors, but it is done routinely (ex: Deep Throat).

If journalists release secret info, they can be subpoenaed to reveal their source. IF THEY REFUSE...the journalist can be jailed ONLY a short period of time, never more than 6-9 months as a 'coercive tactic'...but the gov't HAS TO LET THEM GO if they still don't talk!!!

This process is something every college journalism major learns.

Glenn Greenwald is using Snowden to further his career...the way he's shopping Snowden interviews around proves it.

The Guardian could have done this **completely differently** and Snowden would still have his job, and Greenwald would have a book deal and a ton of street cred...

Re:5. First Amendment

[erikkemperman]

The US has **the most journalistic freedom in the world**

wrong, according the journos themselves at least; US doesn't even make it into the top 30.

hung him out to dry

[globaljustin]

it was probably intentional not to go out of their way to protect him

I agree...and I think you are being overly fair to the Guardian and Greenwald. They could have done this completely differently and Snowden would still have his job and hot 'girlfriend'...

Anonymous source.

IMHO, Greenwald and the Guardian led Snowden around like a sheep, taking advantage of his internal motivations for releasing the info.

The truth is, Snowden's info isn't actually revealing of any *new* info, only operational details of already-reported on programs...and seriously it's common knowledge that the Feds could spy on us via the Patriot Act.

Read it for yourself, from USA Today in 2006:

The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY.

He broke the law technically, revealing info that was Top Secret, but it's not exactly "news"....unless you muckrake and take advantage of the fact that most journalists never understood what the Patriot Act allows.

It's all hype...we definitely could have had a "national conversation about privacy and surveillance" without all this flap!

Re:hung him out to dry

[Obfuscant]

The truth is, Snowden's info isn't actually revealing of any *new* info, only operational details of already-reported on programs...

Our local senator is one of the ones who has been hinting to us that this is going on since early this year. He couldn't tell us what it was, but ...

He also didn't think it was enough of a problem to bother trying to stop it.

Just RTFA

[FatLittleMonkey]

I can read it on your machine before you encrypt it

The "clean machine" never connects to the 'net. It handles the encryption and is the only machine that sees the decrypted data. The machine that touches the net (somewhere remote to your home/office connection) only sees the encrypted file.

When you realize that I have the power to quickly mobilize any police force almost anywhere in the world to get what I want, you will realize by how much you are screwed.

"If you just want to "stay anonymous from the NSA", or whomever good luck with that. My advice? Pick different adversaries."

Most importantly.

[FatLittleMonkey]

7. Start doing steps 1-6 NOW. Routinely. Across your entire media organisation. When you don't need it.

Don't wait until you're doing something you want to hide, then suddenly start using high-end crypto and data obfuscation and special networks to shout "LOOK AT ME, I HAVE SOMETHING TO HIDE".

You didn't RTFA

[AliasMarlowe]

But I can read it on your machine before you encrypt it, cos I'm the NSA and if Microsoft won't give me a back door (usually they do), I just lean on Nvidia, Hewlett Packard, or someone to write me a trojan into their drivers so I can get my back door. It's trivial.

This is one of the reasons that El Reg pointed us to the NSA's own recommendation to USE LINUX. Specifically, use a hardened Linux which is far more secure than any version of Windows, and rather less prone to insertion of back doors into drivers. Here's the relevant bit from El Reg:
"Buy new machines for cash from a shop and harden them against attack: why not (again) take the NSA's own advice and make sure you're using Security-Enhanced Linux, a series of patches for the open-source OS that are now part of Linus Torvalds' official mainline kernel."

Re:that was a questionaire

[erikkemperman]

No. I am arguing that one might give more weight to the results of polls among a large number of journalists around the planet, rather than the opinion of this single guy -- Guardian editor or not.

And even if he's right that NYTimes are better equipped for this kind of thing, that's still a far cry from saying that the US does therefore in its entirety have "the most journalistic freedom" in the world -- which was what you were arguing.