Last friday I was gatecrashing the Investigative Reporters and Editors Computer-Aided Reporting conference up in Baltimore. Super cool conference; I’ll write it up more generally later. I was asked to share a bit about NDI’s perspective from the field on how we work with political activists and citizen journalists to be aware of the risks they face when using the internet for organizing or communications.
It was a great crew up there - myself, Jennifer Valentino-DeVries from the Wall Street Journal and Susan McGregor from Columbia University ably moderated by Josh Meyer, a board member with the sponsoring organization.
Sometimes in life it’s hard to know what to say (a buddy’s unsuitable engagement, a breakup convo, comments on a friend’s poor artistic performance) and one of them for me are 10-minute digital security discussions. You can’t dive into the details of a complicated tool like GPG. You can scare the pants off of them, but playing dead is not a valid defense mechanism online. So we tag-teamed it. Susan started things off with a quick “how the internet works” - and therefore where you can be attacked - while Jennifer focused on some core software of use in newsrooms like Tor, password managers and Cryptocat.
I decided to take a slightly different tack and talk about really boring stuff. Seems like a presentation winner, right?
When it comes down to it, the majority of attacks on activists or journalists aren’t super sophisticated. Citizems covering the brutal conflict in Syria are not getting owned by tapping Tor exit nodes. It’s not someone brute-force cracking your laptop password. It’s definitely not some sinister flaw in TLS. Most hacks target the basics: unpatched operating systems or software, viruses, bad passwords and malevolent attachments. This is the thing that gets our partners around the world - and for that matter, NDI staff as well.
There’s no way to keep yourself perfectly safe from a zero-day attack on a hole in your software, but there’s a lot you can do to protect yourself.
- Start from a safe place. If you don’t entirely trust your computer, back it up and reinstall. Your computer is your ultimate foundation - if you don’t start clean you can feel safe.
- Update your operating system and programs early and often. Make sure Windows checks daily for updates and apply them right away. Same goes for Mac OS, Android, and iOS. If there’s a security patch, that means there’s an actual live problem - and the bad guys know it already. This goes for software like Office and Adobe Acrobat as well.
- Use good antivirus and keep it up to date. Avast has a pretty good freeware version, but paying for a commercial version can be worth it. Most importantly, make sure it is constantly checking for updated virus definitions.
- Don’t open attachments. Don’t send attachments. If you must, Google Drive lets you open documents or spreadsheets in a safe form. Be the change. Break the culture of using attachments.
- Use decent passwords, one per site. Pick four random common words and you’re set. (Obligatory reference to XKCD.) That’s still too much to remember (cuz you’re never reusing passwords, right?) so keep them in a password vault. 1password, keepass, lastpass - they all work.
Basics are boring, but if you religiously adhere to these 5 tips you’re going to be much safer - and force the baddies to work much harder to get you.