Encryption for journalists #TA3M

Techno activism

Techno-Activism Third Mondays (TA3M) is an informal meetup designed to connect software creators and software users who are interested in learning or teaching about censorship, surveillance, and various open source technologies for personal computing devices of all kinds. The New York based OpenITP nonprofit is the organization behind starting TA3M in December 2012, with New York, San Francisco and Berlin hosting their first TA3M events in January of 2013. Currently, TA3M events are held in at least 20 cities throughout the world, with many more launching every month.

Seattle hosted its first TA3M event in August 2013. In our November event, 35 people were in attendance to partake in presentations about Geeks Without Bounds involvement, Tor software development, and Tor use on personal computing devices.

Seattle journalists

For December’s TA3M in Seattle, I’ll be presenting on the use of specific open source encrypted communications applications for mobile and personal computing devices. The target audience for my presentation will be for people brand new to using these encryption-optional chat tools, but for people generally familiar with instant messaging platforms.

  • ChatSecure for Android and iOS, by The Guardian Project
  • Orbot for Android, by The Guardian Project
  • Pidgin for Windows, OSX, and Linux

The rough draft of my presentation can be found here.

Tentative event schedule here.

If you are planning to attend this free and open-to-the-public event, and have any questions that technical people such as me can help answer for you, please post questions in the comment section of this post.

 

Advertisements

ChatSecure Tutorial for #TA3M

This post is made for Seattle’s Techno-Activism 3rd Mondays (#TA3M) event on December 16, 2013. For details about the event, stay tuned by this wiki page: https://wiki.openitp.org/events:techno-activism_3rd_mondays:seattle

In my presentation I’ll be demonstrating how to use The Guardian Project‘s mobile device application ChatSecure (Android) (iOS), which is a tool for people wanting to keep their text-based conversations private and secure. To demonstrate at #TA3M, I will be using my HTC cell phone and a Windows laptop. My phone will be pre-configured to use ChatSecure, but I’ll install and configure Pidgin and pidgin-otr on my laptop since I’ll have access to a projector. I’ll start the presentation by running through this blog post and its screenshots, but will integrate the Pidgin demonstration once I get to the contact management and OTR initialization screenshots.

Please comment on this post or Tweet at me if you have any feedback.

 

Creative Commons License
This blog post (ChatSecure Tutorial for #TA3M by Christopher Sheats) is licensed under a Creative Commons Attribution 3.0 Unported License. You are free to copy and remix it without restriction.

ta3m

Install ChatSecure. I installed it from the Google Play Store.

15

Open the ChatSecure application.
15

Set a strong password that you can remember. This password is set to protect access to ChatSecure, in case your phone is stolen or compromised. This is an added layer of protection so that adversaries cannot access your past communications or pretend to be you and have conversations with your contacts.
15
15
15

Add an account. For demonstration purposes and ease-of-use, I’ve opted to use my Gmail address. Using a Google account will likely be the lease private means of private conversation. Keep in mind that Google and the NSA will own the metadata of your chats, including:

  1. The fact that you are using the internet (time stamp)
  2. The fact that you are signing in and out of Google (time stamp)
  3. The fact that you are conversing with a specific person (contact and time stamps)

Also keep in mind that when using Off The Record (OTR) messaging, Google and the NSA will not be able to have the information contained in your conversation, since it will be encrypted.

15
15

XMPP and ZeroConf are alternative messaging architectures that may allow you greater privacy if used correctly. Be sure to research what chat protocol is best for you and the risks that you face.
15
15
15

Connecting to Google via the Tor anonymity network is recommended to protect your physical location’s metadata and for ensuring private transit. However, be aware that if you’re using a cell phone, your cell service provider knows where you are, and if the NSA needed to find out where you were during an OTR conversation, could compare the time stamps that Google and your cell service provider have.

Selecting this check box will bring up a dialogue to install Orbot (Android) if you do not already have it installed.
15
15
15

Install Orbot.
15

Open Orbot.
15

Select your language.
15

Read and click through the dialogue.
15
15

If you have not rooted your Android, you will not be able to use Orbot’s advanced functionality. But for the purpose of using ChatSecure and other applications designed to work with Orbot, you are going to be able to utilize the Tor network.
15
15

It looks like Orbot hasn’t been updated to advertise ChatSecure by its new name–formerly Gibberbot.
15
15

Press and hold the ‘power’ icon in the center to start your Tor connection.
15

Orbot will begin connecting to the Tor network automatically.
15
15
15

Now you’re connected to Tor and your ChatSecure application will route its communication through Tor.
15

Sign into your Google account (similar to Google Hangouts).
15

Select the three-vertical-box icon to access Settings.
15
15

Select Chat Encryption.
15

Require encryption for your ChatSecure/OTR conversations.
15

You may need to add a contact.
15

Enter the email or account address of the person whom you wish to converse with.
15

Select the person whom you wish to converse with.
15

Say hello! Keep in mind that the padlock at the top of the screen is not locked. This “hello” will be in cleartext.
15
15
15

Select the padlock to start the encryption (OTR) initialization process. The person with whom you are chatting with must have an OTR-compatible client, ideally the same version of the same software, or at least up-to-date OTR-compatible application, like Pidgin for PC, Mac, and Linux.
15

Your ChatSecure conversation is now encrypted using OTR; however, because the question mark in the padlock is yellow, it is indicating that the person with whom you are chatting with is not verified.
15

Select the padlock again to Verify the person (ID) whom you are chatting with.
15

Ideally you will select Question in order to answer a question for which you and the person whom you are privately conversing with know the answer to. This helps verify that you’re talking to the right person. You should also verify the ‘public key fingerprint‘. For the purpose and ease-of-use for this presentation, I manually approved the identity.
15

Verify the prints!!! and inform the person with whom you’re speaking of yours!!!
15

Now that you have verified the identity of the person with whom you are conversing, ChatSecure changed the padlock icon from a yellow question mark to a purple check.
15

Notice that because OTR (end-to-end encryption) is functioning and the person on the other end is verified, the text that is sent and received from now on also uses the purple padlock.
15
15

By default, ChatSecure will not store your conversation on your mobile device. So when you close a chat window and start a new session, you will have no chat history.
15

This is an example of what “information” Google and the NSA see from your OTR conversation. Privacy rules!
15

DISCLAIMER: The above public key finger prints are not my actual prints. These screenshots are only for the purposes of my demonstration.

Get Tomb 1.4 up and running on Ubuntu 13.10

Tomb is an excellent command line tool for maintaining encrypted files. Tomb files can be stored on an Internet-facing server so that they can be accessed from anywhere in the world using any SSH client. An adversary would have to compromise said server, gain administrative privileges, and brute force the Tombs (if they have the key files) in order to recover the contents of said Tombs. Someone that is more “at risk” than me should invoke an air gap between the Internet and their Tombs. Managing your Tomb’s key files is a different matter that I’ll discuss later.

Read about Tomb here: http://www.dyne.org/software/tomb/

Download Tomb onto your Ubuntu server.

wget https://files.dyne.org/.xsend.php?file=tomb/releases/Tomb-1.4.tar.gz

Rename the downloaded file.

mv .xsend.php?file=tomb%2Freleases%2FTomb-1.4.tar.gz Tomb-1.4.tar.gz

Download the SHA hash/checksum file.

wget https://files.dyne.org/tomb/releases/Tomb-1.4.tar.gz.sha

View the Tomb tar file’s SHA hash.

cat Tomb-1.4.tar.gz.sha

2621ac6b9180321e69743dc899645449b2b958c6aa46e4b2601c2e89131bbf29  Tomb-1.4.tar.gz

View the Tomb tar file’s SHA checksum and compare it to the above hash–if they’re the same, continue with installation.

sha256sum Tomb-1.4.tar.gz

2621ac6b9180321e69743dc899645449b2b958c6aa46e4b2601c2e89131bbf29  Tomb-1.4.tar.gz

Unzip the Tomb tar file.

sudo tar -zxvf Tomb-1.4.tar.gz

Change into the newly created Tomb Directory.

cd Tomb-1.4/

Install Tomb.

sudo make install

Check that Tomb installed by checking its version.

tomb -v

Tomb 1.4 – a strong and gentle undertaker for your secrets

Copyright (C) 2007-2013 Dyne.org Foundation, License GNU GPL v3+
This is free software: you are free to change and redistribute it
The latest Tomb sourcecode is published on
This source code is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Please refer to the GNU Public License for more details.

System utils:

Sudo version 1.8.6p3
cryptsetup 1.4.3
pinentry-gtk2 0.8.1
gpg (GnuPG) 1.4.14 – key forging algorithms (GnuPG symmetric ciphers):
IDEA 3DES CAST5 BLOWFISH AES AES192 AES256 TWOFISH CAMELLIA128 CAMELLIA192 CAMELLIA256

Be sure to “shred” your Tombs or Tomb key files if you ever want to move them or delete them. If you’re moving your files, copy them first then shred the unwanted files. Do not simply move them.

sudo shred -f -v -z -u tomb.tomb.key

A local initiative for the people’s right to privacy

“Gentlemen do not read each other’s mail.”

This was said by Henry L. Stimson in 1929 in support of the US State Department’s defunding of the Black Chamber program that was used to decipher foreign ambassador communications. At that time, Stinson was the Secretary of State under President William Howard Taft. Stinson’s opinion, however, is said to have changed while he served as the Secretary of War under President Herbert Hoover and President Franklin D. Roosevelt, in which the United States government relied heavily on the enemy’s decrypted communications during wartime.

Mass surveillance is a crime against people, not just the American people. The people did not ask for it, not even the special interests behind the development of the Patriot Act. Secret mass surveillance and secret laws are instituted and accepted by people in power, to gain and maintain power, which are acts that are illegitimate of a developing democracy. They are illegitimate acts of a country that developed the Internet.

Civilly speaking, cryptographically encrypting information before transmission is the same as licking and sealing a letter before mailing it. It is the same as closing a clear glass door on a telephone booth before having a private conversation. It is the same as putting on clothes to protect things expected to remain private.

I expect that only entities that privately sign digital certificates that create the foundation for private chats, private socializing, and secure transactions on the internet can decrypt my information. It should be illegal for entities beyond the original signer of public key infrastructure certificates to have a copy of the private key in such a way that allows said entity to view or record the decrypted content that is expected to remain private between two specific parties. It should also be illegal for any entity to attempt to break or subvert encryption mechanisms on common-carrier infrastructure as long as that data is being transmitted or being stored on American soil, no matter the nationality of the person transmitting their encrypted internet content. It is time for the United States to learn from its mistakes and emerge as a civil liberties leader.

What I would like to do is identify other leaders throughout the United States that want to pass a shared city law that makes illegal the above acts. We should all vote for and approve these laws in tandem to reduce the risk of federal or state legal threats. Cities need to come together to protect local internet infrastructure.

Governance representatives are failing to protect the nature of our constitutional protections in law and debate.  They are failing to understand the importance of the Internet. Federal representatives are literally working backwards at times, with the Patriot Act, CISPA, PIPA, and the TPP as perfect examples. It is time to work from the ground up and enact local laws that affect local internet infrastructure.

We cannot let special interest groups, that bribe our representatives, write our laws for us. The interest of the people needs to be voiced through local law. Let us tell state and federal government that it is not okay to subvert public law with secret law, and that mass surveillance cannot be tolerated, period. Law enforcement has worked, successfully, for hundreds of years without mass surveillance. The city laws that I am proposing do not inhibit the normal procedure of law enforcement to acquire a warrant, through justified evidence, to obtain private information about specific individuals to prevent or punish crime.

In addition to hosting DNS root servers and the Seattle Internet Exchange, the Westin datacenter connects us to billions of un-Americans on the other side of the Pacific Ocean. Many other cities throughout the United States host similar infrastructure. These communication points are ideal for the placement of unethical surveillance equipment, and we must make this act illegal in our cities. Let us put pressure on our state by protecting local resources, the technology that ensures the security of our online communications, and the integrity of our local businesses.

From https://www.aclu.org/sites/default/files/assets/lavabit_brief_of_us.pdf, it is clear that sometimes our founding legal frameworks are not explicit.

THE FOURTH AMENDMENT DOES NOT PROHIBIT OBTAINING ENCRYPTION KEYS FOR THE PURPOSE OF DECRYPTING COMMUNICATIONS THAT THE GOVERNMENT IS LAWFULLY AUTHORIZED TO COLLECT

Let us build our own laws for our expectations of privacy. For example, as described in the book, Toward an Information Bill of Rights & Responsibilities (http://yawnbox.com/?p=283):

Preamble

Information privacy is the claim of individuals to determine what information about them is disclosed to others and encompasses the collection, maintenance, and use of identifiable information. Privacy is an important value in a democratic society. For individuals, it enhances their sense of autonomy and dignity by permitting them to influence what others know about them. For associations, privacy enhances the ability of individuals to function collectively by permitting the association to keep deliberations and membership and other activities confidential. For society, privacy fosters individual and associational contributions to society, promotes diversity, and limits undesirable conduct and abuse of authority by government and other institutions.

Privacy is not an absolute right. It must be balanced with competing values and interests, including First Amendment rights, law enforcement interests, and business or economic interests in information. The following Code of Information Rights and Responsibilities attempts to strike an appropriate balance between privacy and competing interests, in an environment shaped be technological breakthroughs in the ability of organizations to collect and disseminate personal information.

A number of characteristics of the new information environment make it imperative to adopt a Code of Information Rights and Responsibilities. These include:

  • Technological enhancements in the ability to capture, store, aggregate, exchange, and synthesize large quantities of information about individuals, their transactions, and their behavior;
  • Proliferation of powerful computing capacity to the desktop;
  • Creation of worldwide networks through which information about individuals can easily, cheaply, and quickly flow;
  • Increasing use of target marketing, modeling, and profiling;
  • New technological abilities that permit individuals to access personal data maintained by others;
  • Decreasing cost of computing technology used to manipulate data;
  • New social and cultural values and developments regarding personal information.

Two general principles apply to all of the provisions of the Code of Information Rights and Responsibilities. First, an individual is entitled to greater protection and due process when information is used to make determinations about his or her rights, benefits or opportunities. Second, the protection of privacy must be interpreted consistently with First Amendment principles. Resolving the inherent tensions between the values of privacy and the First Amendment must take place on a case-by-case basis.

The scope of the Code of Information Rights and Responsibilities is limited to individual and associational privacy as defined above, and does not cover government and corporate interests in secrecy. It addresses how activities of information keepers and processors involving the collection, maintenance, and use of personal information should be evaluated when privacy interests overlap or conflict with other interests, values, or significant community needs.

First Principles

A. Collection
There should be limits on the ability of information keepers and processors to collect personal information. Information should only be collected when relevant, necessary, and socially acceptable.

A-1.
Information should be collected directly from the individual whenever possible.

A-2.
When not collecting information directly from the individual, notice, access, correction, and other rights should be provided if the information is used to determine rights, benefits, and opportunities.

B. Notice/Transparency
Individuals providing information to an information keeper and processor have the right to receive, at the time that information is provided, a notice of information practices describing how the information will be used, maintained, and disclosed. Information keepers and processors must provide a copy of notice of information practices upon request. There should be no secret systems containing personal information. Individuals have a responsibility to make informed choices about how information about them is to be used.

C. Access and Correction
Individuals have the right to see and have a copy of any information about themselves maintained by others, consistent with the First Amendment and with other important public and private policy interests. Individuals have the right to seek correction of information that is in error. When a correction is made, the individual may require that copies of the corrected information be provided to all previous recipients. Where this is a disagreement about the accuracy of information, the individual may include along with the disputed information a statement of disagreement.

D. Use
Information may only be used for a purpose that is identified and described at the time that the information is collected. Other uses may be permitted only if they are not inconsistent with the original understanding.

E. Disclosure
Disclosures other than those described at the time of collection may be made to third parties only with the consent of the individual or where required by law. Explicit consent by the data subject shall be required for personal information of the highest sensitivity and may be implied for less sensitive personal information. (Whether consent must be express [opt-in] or may be implied [opt-out] is an open question.)

F. Accuracy
Information keepers and processors must take appropriate steps to assure the accuracy, completeness, timeliness, and security of the information. Information keepers and processors must devote adequate resources to these functions.

G. Enforcement
Rules about the collection, maintenance, use, and disclosure of information should be enforced through suitable mechanisms, such as administrative processes, professional standards, civil actions, criminal penalties, government or private ombudsmen, and other means.

H. Oversight
There is a need for an independent federal entity to conduct privacy oversight and policy-making activities.

  • Information keepers and processors and others should be encouraged to explore technical means to protect privacy.
  • There should be an exploration of other means to promote self-determination in the use of personal information, including proprietary rights and dual control mechanisms.
  • The creation of information trustees who maintain personal data on behalf of diverse information keepers and processors should be considered.
  • There is a need to explore the rights and responsibilities of individuals and information keepers and processors when changes in the use and disclosure of information are developed after the time of collection.

Together we must begin drafting a law that can be shared by the people, city governance, and our local businesses. Together we must approve these measures and begin putting a stop to mass surveillance on any and all people, not just Americans, while also demonstrating our right to privacy.

Information strings and their use in understanding digital journalism

Oxford Internet Institute MSc in Social Science of the Internet research proposal by Christopher Sheats

Introduction. In his book, Information: A Very Short Introduction, Dr. Luciano Floridi defines the differences between five types of semantic information (5-TSI)—primary, secondary, meta, operational, and derivative. Floridi then tells a story and describes specific pieces as being “primary” in nature, or “operational” in nature, etcetera. I have adapted Floridi’s 5-TSI to create a framework that goes beyond focusing on independent pieces of information. My research links these independent pieces together to more effectively trace the focus of how the main topic or topics of a news article are being described to the reader. I propose that this linking of information-types becomes an information string.

Identifying information strings allows one to analyze semantic information by qualifying and categorizing information to determine what is and is not present in any given article. My area of interest concerns the quality of information of politically motivated online news articles. A diverse and relevant range of information strings makes up a news article’s informativeness, which is a metric that can describe how high or low the quality of information is. My objective is to determine the quality of any given set of information, which may or may not indicate aspects of informativeness, misinformation, and disinformation.

Hypothesis. In order for my hypothesis to work, I had to invent an information-string system. The notion of “primary” information is the smallest, least complicated “tier” of information which I call a “first-tier” information string. Operational information concerning a news article topic is “primary-operational” information, or, a second-tier information string, because it is operationally describing the primary information. Each sub-tier is always a complication of its respective higher-tier information string, be it secondary, meta, operational, or derivative. I propose that every information string in a stand-alone news article should start as primary-“something”, because information in any news article should focus on or support a main topic.

I hypothesize that information strings can be logically and visually mapped in such a way that will enhance news aggregation websites.

With any given news article topic or topics (the primary information), there should be a substantial amount of related information already available online. With the release of new information by journalists, politicians, whistle-blower release sites, encyclopedia developments, and social media participants, the nature of how that primary information will evolve. Over time, primary information strings change depending on a multitude of factors that affect primary’s sub-tier information. Through analyzing the nature of the information string change, trends should emerge to help identify those factors.

What I expect my research to support is the premise that information string evolution will dramatically shift based on specific sources, including individual journalists, individual political speakers, entire news agencies, or entire political organizations. Tracking information that has a high probability of being deceptive via the application of information strings should allow me to visually represent the change of information over time to better understand the consequences of using low-quality information.

Methodology. With the help of my research mentor, Dr. Floridi, I will select a topic in news media to analyze. For example, in a public blog post, I looked at an NBC News article alleging that US officials claimed that the Iranian government was responsible for cyber attacks against the US government. Through the application of information strings, I was able to provide evidence that its low-quality information was later being referenced in follow up articles by the same and other news agencies, leading to systemic low-quality information and probable deception. Information strings can become dependent on false information that allow the generation of all kinds of information strings in other, stand-alone, online news articles.

Surveys will need to be developed and administered to a wide range of participants to gauge the informativeness of the use of specific information string diversity and order. Survey questions will depend on the development and application of my information strings framework. The following questions were developed to better shape survey questions:

 

  1. Is it feasible to track the behavior of information in semantic media using the 5-TSI?
  2. How persuasive is one information type, of the 5-TSI, over another?
  3. What type of the 5-TSI affect the trend of semantic media the most? The least?
  4. Is objective information composed more of one of the 5-TSI over any of the others?
  5. In semantic media, can the 5-TSI be broken down into percentages and graphed?
  6. How does subjective information and objective information affect the 5-TSI? Vice-versa?
  7. Is it possible to identify the gaps between data and information in semantic media, depending on the type of information, either biological information or the 5-TSI?
  8. Is it possible to automate the detection of the 5-TSI present in a piece of semantic media?
  9. To what degree does biological information affect the 5-TSI?
  10. What types of the 5-TSI persuades a user of that information to ask more questions rather than make more assumptions? Vice-versa?
  11. Is it possible to use one or many types of information to strategically develop information warfare operations?
  12. Do the 5-TSI change in perception by a biological entity that is limited to biological information?
  13. Does understanding the information type affect one’s ability to understand information in a more objective sense?
  14. How do we extract wanted information from all perceived information, of the 5-TSI?
  15. How do we extract primary information from secondary information? Or vice-versa?
  16. What percentage of the 5-TSI create more perceived information entropy, information, and/or contradictory information? Can the 5-TSI be broken down into these categories?
  17. Do various types of the 5-TSI create any more or less information entropy?
  18. Does the diversity or order of the 5-TSI affect information entropy?
  19. Does information entropy shift as one learns more?
  20. How does information entropy change and how is it affected by biological information and the 5-TSI?
  21. Does semantic information have strong relationships with biological information? Can it be understood using complex adaptive systems analysis?
  22. Is there a dualism to Floridi’s 5-TSI?
  23. Is it feasible to minimize or maximize the use of meta information, except when in support of primary information, to better produce disinformation? Or any of the other 5-TSI?
  24. Is it possible to systematically or systemically organize meta information as primary information, or secondary information as primary information, etc?

 

Conclusion. Depending on the probability of informativeness and the ever present risk of deception in political news articles, a news aggregator such as Google News could eventually achieve two things. One, it could make targeted suggestions to information consumers that present the least amount of content to consume while achieving the greatest amount of informativeness based on open sources. Two, because there will eventually be a database of historical trends based on information string change, a news aggregator could strategically suggest information that will best support probable information changes.

This research will allow for the development of automated systems to best support the actions of an information consumer based on high-quality information, rather than wallow in a bunch of unstructured, seemingly random news with no qualified risks of misinformation or disinformation. If my research is successful, I have every intention to push this research in the OII’s DPhil in Information, Communication and the Social Sciences program.

Henry Markram of the Blue Brain project, founded in 2005 to attempt to create a synthetic brain, was quoted in an interview from 2008 as saying, “So much of what we do in science isn’t actually science. I say let robots do the mindless work so that we can spend more time thinking about our questions.” The internet has extraordinary capacity to meaningfully inform its users. We need better information management systems to help us ask the right questions when it comes to consuming information online.