information security

Book: Information security for journalists - V1.1

With journalist Silkie Carlo I have co-authored a 'handbook' on practical information security for journalists commissioned by the UK Centre for Investigative Journalism. The CIJ handbook 'Information Security for Journalists' was launched at the CIJ Summer School 2014 in London. The book will be forever freely available in a range of electronic formats - see download links below. In the four months after the initial publication in we have rewritten certain parts based on feedback from the initial readers and updated other parts to stay current with the latest software changes. Many thanks to all who gave us valuable feedback.

Altough this book was originally written for investigative journalists most of the described concepts and technical solutions are just as usable by lawyers or advisors protecting communications with their clients, doctors protecting medical privacy and of course politicians, activists or anyone else who engages powerful state and corporate organisations. Really, we're all journalists now. Inside the book is a mailadres for getting in touch, please let us know how your are using it and what we can do better.

If you have reasons to suspect your online movements are already under some form of surveilance you should not download this book using a computer or netwpork associated with your identity (such as your home or work systems).

Several participants of journalist training programs have written articles: Information security for journalists: staying secure online by Alastair Reid (from journalism.co.uk) - A day with the surveillance expert by Jason Murdock, Offtherecord.in - Valentina Novak wrote this interview after a lecture & workshop in Slovenia last November.

On Tuesday July 8th 2014 I was once more a guest on Max Keiser's programme 'The Keiser Report' to discuss the book. Video here on my blog, here on RT site and here on Youtube.

From the 'backflap' of the book:

RT.com interview on 'secure' smartphone apps

On Friday October 17th I was interviewed by Russia Today on the security of 'secure' smartphone apps that turn out to not be so secure. After 18 months of Snowden revelations that should be not news but for the Guardian newspaper it is.

Bankrupting the NSA with Tails & defeating TTIP

On Tuesday July 8th 2014 I was once more a guest on Max Keiser's programme 'The Keiser Report'. Max is a former Wall Street trader who foresaw the current economic crisis a decade ago. On his show he lets rip on the insane financial system and allows his guests to do the same.

Max asked me about the handbook 'Information Security for Journalists' I co-authored with journalist Silkie Carlo. The tools and methods it describes can help is slowing down the NSA by increasing the cost of surveiling individuals by a factor of about 1 million. We also discussed the latest US-inspired attempt-at-corporate-takeover-disquised-as-trade-agreement known as TTIP. I think this wil be defeated in the same way as its smaller precursors ACTA and SOPA before it because it is not in Europe's interest. This will require some serious action on behalf of Europeans since our politicians seem a tad slow in recognising the patterns here.

Full Keiserreport episode here on RT site and here on Youtube.

Book: Information security for journalists

With journalist Silkie Carlo I have co-authored a 'handbook' on practical information security for journalists commissioned by the UK Centre for Investigative Journalism. The CIJ handbook 'Information Security for Journalists' was launched at the CIJ Summer School 2014 last weekend in London. The book will be freely available in electronic format and in print after the summer. Just like last year I gave lectures (slides) and ran a hands-on workshop to get journalists 'tooled-up' so they can better protect their sources, themselves and their stories in a post-Snowden world.

From the 'backflap' of the book:

This handbook is a very important practical tool for journalists. And it is of particular importance to investigative reporters. For the first time journalists are now aware that virtually every electronic communication we make or receive is being recorded, stored and subject to analysis and action. As this surveillance is being conducted in secret, without scrutiny, transparency or any realistic form of accountability, our sources, our stories and our professional work itself is under threat.

After Snowden’s disclosures we know that there are real safeguards and real counter measures available. The CIJ’s latest handbook, Information Security for Journalists, lays out the most effective means of keeping your work private and safe from spying. It explains how to write safely, how to think about security and how to safely receive, store and send information that a government or powerful corporation may be keen for you not to know, to have or to share. To ensure your privacy and the safety of your sources, Information Security for Journalists will help you to make your communications indecipherable, untraceable and anonymous.

Although this handbook is largely about how to use your computer, you don’t need to have a computer science degree to use it. Its authors, and the experts advising the project are ensuring its practical accuracy and usability, and work with the latest technology.

Gavin MacFadyen,
Director of the Centre for Investigative Journalism

This handbook is being translated into Arabic, Chinese, French, German, Portugese, Spanish, and other languages

On Tuesday July 8th 2014 I was once more a guest on Max Keiser's programme 'The Keiser Report' to discuss the book. Video here on my blog, here on RT site and here on Youtube.

Speaking at Dataharvest+ conference

I will be speaking and workshopping at the 2014 Dataharvest+ conference in Brussels. This conference brings together investigative journalists, (big)data wranglers, coders & hackers to kick journalism into the 21st century.

My contribution will be a series of presentations about applied information security for investigative journalists and hands-on workshops to get security tools working on laptops. So bring yours! Slides I used are here: PPT, PDF. Some tips and links to tools. A video from a comparable worshop last year, since then the situation has turned out to be much more dire.

Many thanks to the Centre For Investigative Journalism for making this possible. Happy to be working with them again!

Committee report electronic voting

From April 26th until December 18th 2013 I was a member of the expert committee on voting computers. This committe was instituted to advise the Dutch Minister for the Interior on the feasability of re-introducing electronic voting methods.

In the past (2008, 2012) I have always been very critical about the way electronic voting was implemented in The Netherlands up to 2007. The lack of transparancy of this method and the impossibility of recounts made this fundamentally incompatible with real democracy and,
after some convincing by citizens
, even the government agreed on this.

Keynote & interview Eurapco Insurance

<on 26-09-2013 I gave the keynote at the Eurapco congres where top EU insurance firms share expertise>

We live in a world of rapid technological change. Keynote speaker and IT expert Arjen Kamphuis discusses the implications for the insurance industry and its customers, and what measures can be taken to ensure the best possible customer experience. The objective was to raise awareness of the rapid pace of socio-technical development today and what fundamental effects this will have on the insurance industry. Changes in customer behaviour and expectations will have an impact on customer satisfaction with our companies’ claims handling.

Future shock – are we prepared for change? Some of the topics discussed in the keynote

  • What if tomorrow’s world looks really different? The basic rules of our business can change at incredible speed because of changes in technology, national/EU/ international policies, environmental threats and other external factors. New technology can overtake existing business models, and even make them irrelevant. The insurance industry faces the challenge of combining the need to be stable, secure and reliable with being dynamic, fast and responsive.
  • Cyber security needs to be taken care of, both within companies and between companies and their customers. Privacy issues are of great importance for insurance companies. For instance, it would be damaging for the image of a stable, secure and reliable insurance company if it were to be revealed that all customer data had been fully exposed by hackers or the NSA.
  • Today, all large service companies need to balance industrialised processes with the human touch. As a customer, you do not want to be exposed to the internal processes of your service provider. The customer just wants to receive service in an uncomplicated way. Changes in customer behaviour and expectations will have an impact on customer satisfaction with our companies’ claims handling.
  • Our companies’ brands face increasing danger in a fast-paced world of social media. Our customers rely more on the experience of others than on the promises of the companies. Through social media, good and especially bad experiences can be shared easily and quickly. We can join the conversation about our brand, but not control it.
  • A fast-changing world offers opportunities and threats for your business and your position in the market. Are you ready to adapt to changes in customer expectations? Is your organisation positioned to deal proactively with change, or could you be caught off guard? Do you have a plan for what to do if an improbable case scenario does occur? By carrying out regular scenario planning, you can at least have contingency plans for different case scenarios.
In your keynote speech, you mentioned that it’s very hard for anyone inside the insurance industry to see the world the way a customer, or other outsider, sees it. Can you, as an outsider, give us some tips about what is needed to achieve excellence from a customer’s perspective?

NSA intell goldmine, who else has access?

<also on HuffPo UK>

The War Room, Dr. Strangelove - 1965 Shortly after the initial release of some documents from whistleblower Edward Snowden I wrote a little summary about the IT-policy implications for Europe based on earlier columns. A lot of additional documents have come out since then and we can basically conclude that almost every computer system on the planet is fully broken or at least very vulnerable to NSA interference or manipulation.

Nobody, including the NSA, Edward Snowden, Glenn Greenwald has a total oversight of all the in the tens of thousands of documents let alone the political or strategic implications of the info contained in them. Most of the news keeps focusing on the 'scandal' aspect and/or the person of Snowden. Being angry at the US government (practised by most opponents) and attacking the person of Snowden (a favorite of apologists of the US regime) distracts from defining adequate policy responses and so far there have been precisely none in Europe. This constitutes a massive failure of the various EU governments to protect their citizens' rights and the economic sovereignty of their nations. It is also strange in light of the fact that an adequate policy response had already been formulated in July 2001 and really just needs to be implemented.

But every now and them the disinfo spread by some apologists for the behaviors of the NSA is useful for understanding how much worse the situation may just turn out to be. This article by a former NSA employee is a nice example of an attempt at smearing the whistleblower while actually digging the hole the NSA (and the US regime) is in much, much deeper. The piece claims Snowden secretly worked for Russian intelligence all along. While I do not share the authors views on Snowden's motivations or allegiances the suggestion that outside organisations could have agents inside the NSA has some interesting implications.

Info security workshop Centre for Investigative Journalism

The UK Centre for Investigative Journalism is a non-profit organisation dedicated to educating and training journalists to benefit the quality of journalism and thus public debates on important topics in society. Every year the CIJ holds a 3-day summer school where journalists can follow lectures, participate in workshops and meet with some of the foremost professionals in their field. Several months ago, when the CIJ asked me to help set up a workshop in information security, we had no idea then how hot the subject would become after the revelations by former NSA-contractor Edward Snowden. I was very happy to see the room at London City University was packed with journalists eager to learn both theory and practice of securing their communications and protecting their data. An overview of theory & tools for those who missed it, slides here, video below.

Being in London for a few days also allowed me to contribute to a cryptoparty (a workshop for teaching info security basics to anyone interested) that was kindly hosted and wonderfully supported by the London Hackerspace. Dozens of people from all walks of life showed up and we had a great time.

If you would like to attend such a workshop contact your local hackerspace and join or look at this list of upcoming cryptoparties. If nothing is planned in your area start a group yourself. The time for it has never been more propitious. The links above can get you started. If you get stuck mail me and I'll be happy to put you in contact with people near you.

Below a recording of the theory introduction part of the workshop at the 2013 summer school. After this intro the whole class worked together for several hours setting up software tools for email-encryption, anonymous browsing and testing these new capabilities with colleagues. By the end of the day over 30 journalists were tooled up to receive scoops from high-risk whistleblowers.

Privacy, a decade on

<originally a column for Webwereld - in Dutch>

On July 11th 2001 the European Parliament published a report on the Echelon spy network and the implications for European citizens and businesses. Speculations about the existence of this network of Great Britain-and-her-former-colonies had been going on for years but it took until 1999 for a journalist to publish a report that moved the subject out of the tinfoil-hat- zone. The report of the EU Parliament contains very practical and sensible proposals, but because of events two months after publication, they have never been implemented. Or even discussed further.

Under the heading "Measures to encourage self-protection by citizens and enterprises" lists several concrete proposals for inproving data security and confidentiality of communications for EU citizens. The document calls on Parliament to inform citizens about the existence of Echelon and the implications for their privacy. This information must be "accompanied by practical assistance in designing and implementing comprehensive protection measures, including the security of information technology". So not just some abstract government infomercial on TV/radio but hands-on tips to get some actual work done please!

Votingcomputer: the zombie that just won't die

<originally a Webwereld column>

U heeft gestemd - of niet?

Last month the VVD and D66 political parties (the Dutch equivalent of the Conservatives and LibDems in the UK) again proposed that the Netherlands should re-adopt electronic voting. Earlier this year the Dutch Association of Mayors also called for their reintroduction (don't you just love it when non-elected officials comment on and interfere with the electoral process :-). While the use of voting computers in the Netherlands has been banned for over four years, even for water board elections, there remains a fundamental misunderstanding of the basic problem with electronic voting.

While the many clumsy security problems (video) or the absence of the source code of the software (in the case of Nedap and SDU voting computers), are excellent talking points for the media and political agenda, these issues are not the core of the problem. And although the voting computer dossier at the Ministry of Home Affairs is now labelled with a bright fluorescent sticker: 'radioactive, do not touch!", there is still a risk that local authorities or suppliers will continue to feel that voting by computer is best "if we can just iron out a few little bugs”.

The real objections are more fundamental and have little to do with security bugs or open source code. They are the fundamental principles underpinning our democracy, and are threatened by the use of voting computers. In the many discussions on mailing lists and web forums it seems that people have lost sight of these principles.

Parliamentary hearing on IT-projects, security & privacy

On June 1st 2012 the Dutch government's Parliamentary working group on government IT-projects held a hearing of experts. My written contribution below. Capture of videostream... (in Dutch). Dutch journalist Brenno de Winter published his thoughts here. Column on this published the week after here.

Introduction - IT and the Dutch national government
Andromeda M31Universality is an assumption of astrophysics that states that all phenomena, everywhere, behave as we observe them from Earth. I'm assuming that phenomena I have observed in specific government IT projects also occur in government IT projects that I have less infromation about (this is usually caused by the poor implementation of Freedom Of Information Acts, see the notes of Mr de Winter).

IT project management is currently based on a rather naive model of reality - "smart entrepreneurs compete on a level playing field for the favours of the government, which then procures with insight and vision." However, this model does not adequately predict the observed outcome of the projects. Whence this group.

Another model would be "a corrupt swamp with the wrong incentives, populated by sharks and incompetent clowns". This model has the advantage of perfectly predicting the observed outcomes.

Waiting for the big one

<originally a Webwereld column - in Dutch>

Diginotar's multiple IT failures in the public sector have been swept under the carpet. So far, nothing indicates that there will be any real change to the Dutch government's overdue IT projects. During the hearing (mp3 – in Dutch) in the Lower House it was apparent that neither the government overseer OPTA or auditor Price Waterhouse Coopers believe themselves at fault, despite the fact that for years as regulators they have rubber stamped the work of Diginotar. The decisions of the PwC auditors were obviously good because "they are executed by responsible professionals". This will be heartening for all those Iranian citizens who are suffering the consequences of this (think of an unpleasant convergence of kneecaps and power tools).

But because of the chaos at Diginotar, we may never know for certain the full horror of those consequences. It is very simple for someone to take over an entire network and manipulate all the logs. The only thing we can really say with any certainty is that so far we have no reason to believe that IT security was any better in the past than the recently discovered FoxIT mess. The PwC audits are obviously not able to detect such a mess and OPTA apparently did not even look. Possibly Diginotar has been totally hacked for many years, and nobody noticed. A really smart spy or cyber criminal does his job and leaves no traces. The many detailed discussions about the exact scale and timeline of the hack have completely ignored this fact. From his grave Socrates is smiling at the idea that we only certainly know what we certainly do not know.