Friday, February 09, 2007

How journalists protect themselves under internet censorship and surveillance

I just finished the draft version of this report. When I have time, I'll add those images in it. I also have all of those software and tools mentioned in this report; if you need it, I might give them to you whenever possible.

We probably understand Internet censorship is just to block websites. It is true, but that is only part of it. The more important part of internet censorship is to totally block the free flow of information, and track, monitor and torture people who dare influence such goal.

As journalists, we use and exchange much information. Information security is crucial to journalists’ work. We shall talk about the issue of information security journalists are confronted with mainly from the perspectives of internet browsing, system security and security on communication of information.

1 Internet browsing

1.1 Choose safer browsers

In view of the fact that most virus and malicious programs direct at Microsoft’s Internet Explorer browser, using Firefox which is developed and maintained by a non-profit foundation might be a better choice. Besides, you should install some security extensions for Firefox at https://addons.mozilla.org.

1.2 Anonymous proxies

Remember, never use unsafe proxy servers unscrupulously, as some free proxy servers which might be baits can record your IP address and other important system information and hence track you based on those information you provided. You must choose safer anonymous proxy tools.

1.2.1 Web based proxies

There are lots of anonymous safe proxy tools you can choose. The first is web based proxies. Such proxies have Proxify, Proxyweb.net, unipeak.com, Anonymouse.org, Google language tools and so on. If you simply visit web pages, you can just use those services safely.

1.2.2 Software based proxies

However, those web based proxies might have been blocked as well. Therefore, you need software based anonymous proxies. There are also lots of such tools as Hide IP Platinum, Anonymizer, Circumventor, and HTTP-Tunnel whose version of high bandwidth needs to pay. In addition, P2P based proxy programs as Freenet, Tor (better used with Proxify), JAP, and Freegate could be safer and more stable. Moreover, you should download them from official websites, because faked proxy tools are able to trace you.

1.2.3 VPN service

If your corporation has VPN (Virtual Public Network) service, it will be very convenient and safe for you to use the internet when you work in censored countries. Even if your corporation does not have such service, you still can use some free VPN service like secureix.com, iPIG which can encrypt all the Internet communications including WiFi, and HotSpotVPN which needs to pay. Besides, if you have an additional computer on hand, you could install OpenVPN service or SoftEther on this computer before you leave. In that case, both you and the friends who you correspond with will be safe over the internet.

1.3 Beware of viruses, phishers and hackers

More and more spyware, adware and Trojan Horse programs are concealed in the web pages. That means if you visit a website containing those programs; your computer would be infected. More fatally, anti-virus programs usually do not help at this time.

To prevent that from happening, you should keep a good habit not to download illegal software, MP3 files, or visit unknown websites. A good remedy is to use McAfee Site-advisor (siteadvisor.com), which gives hints and suggestions on many websites. If you are not sure whether or not you could visit some websites you searched, to follow advisor’s advice.

1.4 Cache and cookies

Some programs like Web Cache Illuminator can find what websites you ever visited by analyzing your cache. Therefore, be sure to delete the cache completely. Cookies are some files that record user’s system and web accessing information. It is usually safe and useful, but it could be exploited by hackers and censors. Therefore, you either turn off cookies in the browser, or delete them after browsing every time.

2 Computer system security

2.1 Password protection

It is the easiest way to protest you to set up strong passwords which are as long and complex enough as possible for your system, and BIOS. Moreover, you should set up startup, supervisor and hard disk passwords respectively in the BIOS configuration. What is more important, even if your hard disk is taken away by other people, they cannot see the contents in your hard disk with hard disk password. However, not all computers support hard disk password protection. In this regard, you can use some special software as PGP (pretty Good Privacy) elaborated in the below to lock your hard disk.

2.2 Encrypt hard disks and files

You must have your own ways to protect your documents, such as to encrypt them with Winrar, sending them to your E-mail accounts and etc. They are not safe enough actually, because simple encryption could be decrypted, and E-mail account could be intruded. PGP which has been commercialized, OpenPGP and True Crypt both of which are free software, are the best solutions every since. They can encrypt your hard disks, removable disks, flash memory and documents with algorithms as high as 4096 bit. Except you, nobody could open your hard disk and documents under such circumstances.

2.3 Delete files completely

You can delete files on the computer easily using your mouse. However, they can also be recovered easily, even if you have formatted or re-partitionized your hard disk. Finadata, Easy Recovery, Disk Genius and such tools are data recovery experts. Therefore, if you do not want your files to be recovered by other people, you should encrypt them with tools mentioned above, or use some tools as PGP, Eraser and Shredder which can truly delete files completely.


2.4 Firewall, anti-virus and anti-malicious-programs tools

2.4.1 BlackIce and Norton

If you do not install a firewall on your computer, that means you do not have a door in your house. The firewall as BlackIce is very important to protect your computer from intruding. You should configure it carefully. In addition, anti-virus software is also very important without doubt. You can choose software which you trust. Norton corporate version is a nice choice as it has good performance in the anti-virus and anti-hackers. Remember to scan your system periodically in the “safe mode”.

2.4.2 Microsoft Windows defender, Spybot- search &Destroy, System repair engineer

If you are suspicious that your computer might have been infected by some spyware and ad-ware, you should use some specialized tools as Microsoft’s Windows Defender, Spybot- search &Destroy to detect and clean them. Besides, System Repair Engineer can recover your registry, browser and system configurations to be normal.

2.5 Beware of loopholes of system

2.5.1 Turn off unnecessary services

Service in the Windows is very crucial to the normal operation of system. However, there are still many services that ordinary people seldom use. Moreover, they might become the loopholes that hackers exploit. Therefore, you need to turn off some services like “Server”, “Remote Registry”, “Terminal Services” and etc. in the service configuration. You thereby can save precious memory, and decrease the chance to be attacked.

2.5.2 Update patches

As we all know, Windows has many bugs and loopholes. So we should update patches as we update virus definitions frequently. If possible, the best way is to let Windows update automatically (turn on “Automatic Updates” in the Service mentioned above). Otherwise, you can install Microsoft Baseline Security Analyzer, and scan your computer frequently.

2.5.3 Shadow systems or virtual machines

If you need to visit many dangerous websites and test many programs for the working purpose, you can install shadow system like Power Shadow. With them, all the viruses will disappear and that everything will be recovered to be normal after you restart your system. Otherwise, you can install virtual machines like Microsoft Virtual PC, Parallels Workstation and VMWare. Even if the virtual system is damaged by viruses, or intruded by hackers, you can delete this system as you delete a document on you computer.

3 Communication security

3.1 E-mail

E-mail is probably the most popular application people use. As a journalist, you might need to contact a person inside a country censored, or you are doing interview in that country. Beware of your E-mail communication, as it might make you or your interviewees in the very dangerous situation.

3.1.1 Free and anonymous e-mail services

First of all, you should choose safe E-mail services. Generally speaking, Gmail and Hotmail have been safe enough to use. However, if you are not sure, you can use Hushmail. It uses Java technology and very high level encryption algorithms, so that nobody including Hushmail itself is able to crack your E-mails.

If you send you E-mails, yet do not want other people to see your address, you need anonymous E-mail accounts. MyTrashMail provides such service, which let you receive mails normally while leaving fake E-mail accounts publicly. AnonymousSpeech.com is able to let people send secure E-mails totally anonymously. Besides, some remailers as Cypherpunk, Mixmaster and Mixminion allow anyone to post to a newsgroup or send an E-mail while remaining anonymous.

3.1.2 Encryption

As such, you should use PGP, or OpenPGP (www.gpg4win.org) to encrypt every important E-mail message. They can make your messages to be seen only by people who you informed the decryption keys. Even if the encrypted emails are intercepted and accessed, its contents are meaningless without the decryption key.

3.1.3 Strong passwords and change frequently.

Password for your E-mail account should be strong enough (as long and complex as you can remember) and change frequently. Comparatively speaking, using client E-mail tools is safer than to check mails on the web, because some Trojan Horse programs can record and steal your web based E-mail account information. Furthermore, seeing that Outlook is usually the target of attack, you might as well use alternative E-mail client tools as Thunderbird developed by the same organization as Firefox and Sylpheed-Claws which has been well integrated with OpenPGP.

3.1.4 Un-identified and phishing mails

Some E-mails you received could steal your important system information as IP address. This could be a start of premeditated attack. Therefore, you had better refuse to receive HTML mails and not let E-mails including images display automatically.

3.2 Instant messaging applications

We might know instant messaging applications as MSN, IM, ICQ and etc. can be wiretapped. You should be aware of encrypting your communication in your IM communications.

3.2.1 Encryption

There are some tools as MSNshell can encrypt communication on MSN. With such programs, even if your communication has been wiretapped, they are not able to understand what you imputed.

3.3 Martus-Human Rights Bulletin System

At the end of this part, I would like to introduce a publication system named Martus which renders people to publish high confidential information safely. For example, your source providers who are in the censored countries can report stories via this system to your organization very safely. When users wish to store information, they create a bulletin which, by default, is kept secret and available only to the group who generated that Martus account. The Martus software automatically records information in the bulletin. The user then types in a subject, keywords, the date of the incident, a short summary and a more extended description. This data is then saved as a bulletin which can be updated. Martus automatically copies and backs up bulletins that have been saved to a designated Martus Server.

3.3.1 Un-identified invitations

Besides, you should refuse any un-identified invitations in the instant messagers. If they are malicious hackers, your IP address will be exposed to them after you accept them. And then you will be vulnerable to attack.

3.4 VOIP (Voice over Internet Protocol)

VOIP applications like Skype actually have been very safe as opposed to traditional telephone communication. However, some evidences have shown VOIP communication can also be intercepted and wiretapped. PGP and Zfone created by the inventor of PGP can encrypt VOIP communication. It would be much safer than before.

3.5 Smart cell phones

Smart phones are actually a kind of mini computer, which can run lots of software program including viruses. Therefore, you need to install some protective tools to keep your mobile communication safe.

3.5.1 Pointsec for Symbian

The biggest threat is that your mobile communication could be listened in. Some equipment can wiretap cell phone communication within certain distance, and even listen in to your background sound around your cell phone. Therefore, you had better cut your cell phone’s power off when you talk about important things. Do not just press the button of “power off”, while you should take the battery out. Besides, you can install some encryption software like Pointsec.

3.5.2 Anti-viruses and firewalls

As such, you should also install some tools of anti-viruses and firewalls as you do on the computer. McAfee has rolled out its anti-viruses and firewall products for mobile platform.

As journalists, we might have got used to different kind of threats, and yet information security could be usually ignored. Therefore, in order to protect ourselves, good habits and consciousness are more important than those tools we introduced. Moreover, technology is always in the paradox, which means that there is no absolute security even if you have equipped all those tools. We are aware there is a threat, and the wisest way is to keep the threat as minimal as possible.