Uncategorized – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 PHOTOS: Tea Party Patriots lead rally against Iran nuclear deal at the U.S. Capitol http://nationalsecurityzone.medill.northwestern.edu/blog/2015/09/10/photos-tea-party-patriots-protest-iran-nuclear-deal-at-the-u-s-capitol/ Thu, 10 Sep 2015 20:41:48 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=23179 On Wednesday, the Tea Party Patriots staged a protest of the Iran nuclear deal on the U.S. Capitol's west lawn. Continue reading ]]>

WASHINGTON — On Wednesday, the Tea Party Patriots (in conjunction with For America, the Zionist Foundation of America and Secure Freedom) staged a rally against the Iran nuclear deal on the U.S. Capitol’s west lawn.  The event, which drew speakers including presidential candidates Sen. Ted Cruz, R-Texas, and Donald Trump, drew attendees from multiple states who carried signs, donned costumes and/or decked themselves out in all-things red, white and blue.  Here is a reporter’s-eye-view of the event.

]]>
#MedillRemembers James Foley, One Year Later http://nationalsecurityzone.medill.northwestern.edu/blog/2015/08/18/medillremembers-james-foley-one-year-later/ Tue, 18 Aug 2015 21:52:51 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22942 Continue reading ]]> ]]> Off the page: Dan Archer on how ‘immersive journalism’ is changing the face of national security reporting http://nationalsecurityzone.medill.northwestern.edu/blog/2015/08/18/dan-archer-debrief/ Tue, 18 Aug 2015 16:15:17 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22889 Continue reading ]]> This image is a screenshot from Dan Archer's Ferguson Firsthand piece. (Dan Archer/Courtesy)

This image is a screenshot from Dan Archer’s Ferguson Firsthand piece. (Dan Archer/Courtesy)

In the course of covering national security, there may be moments when words will seemingly come up short — scenes where descriptions rooted in paper and ink (or in pixels on a screen) will feel insufficient to put readers in the depth of a moment.

The color of the clouds created by smoke and gas suspended in the air during a riot. The timbre of a witness’ cries after a shooting. The claustrophobia of a crowded courtroom.

The pressure to capture the multi-sensory essence of a story might be a challenge for print reporters, but moments like these are the stuff one journalist’s reporting dreams are made on.

Dan Archer.

Archer is a transmedia journalist who works as a Reynold’s Fellow at the Missouri School of Journalism’s Donald W. Reynolds Journalism Institute and a graphic journalist at Empathetic Media.

His style of domestic civil rights and national security reportage combines elements such as video game platforms, comic-book-style editorial cartooning, data and other media elements into what he calls “immersive journalism” to give audiences greater control of how they navigate the news and to let them explore stories from multiple points of view.

One such endeavor is a comic recreation of eyewitness testimonies from the Michael Brown shooting in Ferguson, Missouri, created for Fusion.  The Instagram image below is a snapshot from the project, which can be viewed here.

Another was his so-called “sketchbook” from the streets of Baltimore’s Sandtown neighborhood, where Freddie Gray was arrested and later died in Baltimore Police custody.

But perhaps his most well-known project — and one which, according to Archer, most accurately reflects his current focus on transmedia (versus merely graphic) journalism — was the “virtual-reality experience” he built which allows users to explore the Michael Brown shooting crime scene from the perspectives of multiple witnesses and incorporates primary documents, witness testimony, photo-based scene reconstruction, data visualization and more.

The Medill National Security Journalism Initiative spoke to Archer via Skype to get the story behind his stories and insight into the potential for new media to change the face of national security reporting.

According to Archer, the graphic side of transmedia reporting can catch people off guard initially, but actually allows for greater ease of access to subjects — especially ones who might otherwise be scared off by cameras.

He also said it helps keep the stories focused on their subjects, rather than on the journalist’s experience while trying to report them out (i.e. riot coverage that focuses on what’s happening to a reporter vs. what’s motivating the crowd to be there in the first place). He expressed a discomfort with this “ego journalism,” but was careful to call out the practice vs. its media practitioners.

But he said that transmedia journalism does little to make government and law-enforcement officials more comfortable in interviews and depictions than more traditional forms of reporting would, especially in the age of body cameras and a growing demand for increased police accountability.

Archer said that immersive reporting isn’t that big of a departure from graphic journalism.  Rather, it allows aspects of 2-D reporting to be expanded into further dimensions (such as sound or, in the case of versions of his Ferguson reconstruction designed for virtual-reality consoles, three-dimensional navigation and spatial understanding).

He said diving into the design of such storytelling environments isn’t intensely complicated due to the availability of game engines (some of which are freely available) and YouTube tutorials.

His advice for more traditional print journalists?

Throw orthodoxy out the window, get a handle on emerging interactive story tools and set out to discover fresh approaches to building narratives — especially when it comes to topics that may be so ubiquitous that audiences have tuned out their media coverage.

]]>
#IRE15: Meyer re-elected to IRE Board of Directors, Executive Committee http://nationalsecurityzone.medill.northwestern.edu/blog/2015/06/09/ire15-meyer-re-elected-to-ire-board-of-directors-executive-committee/ Tue, 09 Jun 2015 20:23:38 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22400 Continue reading ]]> Joshua Meyer, Washington D.C., August 5 2011.Medill National Security Journalism Initiative Director of Education and Outreach Josh Meyer was re-elected to the Investigative Reporters and Editors’ Board of Directors and Executive Committee on Saturday.

On Friday, Meyer moderated a panel entitled “Future threats: New avenues of investigative reporting in the fast-changing world of emerging global crises.” The talk brought together Pulitzer Prize winner Deborah Nelson, VICE News Environmental Editor Robert Eshelman and Pace University Senior Fellow for Environmental Understanding Andrew Revkin in conversation about how they are using cutting-edge storytelling tools and technologies to craft narratives about emerging national security issues.

Meyer participated in the conference’s “Career Roundtable” on what employers want to see in job applicants.

Meyer also served as a judge for the 2015 IRE Golden Padlock Award.

According to IRE’s website, the award recognizes “the most secretive publicly-funded agency or person in the United States.” This year’s honor went to the Massachusetts State Police.

The Board of Directors and Executive Committee elections were conducted during the group’s annual conference, which drew a crowd of 1,800 journalists from across the globe and featured New York Times reporter and Medill alum James Risen as keynote speaker.

You can view highlights from Risen’s talk via a Storify created by Madison Feller for IRE here:

For more information on IRE, visit the organization’s website here.

]]>
Josh Meyer moderates conflict reporting talk at UChicago Institute of Politics http://nationalsecurityzone.medill.northwestern.edu/blog/2015/06/01/josh-meyer-moderates-conflict-reporting-talk-at-uchicago-institute-of-politics/ Mon, 01 Jun 2015 18:49:28 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22299 Continue reading ]]> ]]> Medill NSJI students embed with Marines at Twentynine Palms http://nationalsecurityzone.medill.northwestern.edu/blog/2015/05/30/medill-nsji-students-embed-with-marines-at-twentynine-palms/ Sat, 30 May 2015 22:44:29 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22292 Continue reading ]]>
  • (Photo: Medill NSJI)

Check out the suite of stories produced by graduate students in Medill’s National Security Journalism Specialization program:

]]>
A How-to Guide for Encrypting and Protecting Digital Communications using PGP http://nationalsecurityzone.medill.northwestern.edu/blog/2015/05/11/a-how-to-guide-for-encrypting-and-protecting-digital-communications-using-pgp/ Mon, 11 May 2015 17:10:13 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21917 Continue reading ]]> BY AARON RINEHART FOR THE MEDILL NSJI

“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

— Edward Snowden, answering questions live on the Guardian’s website

From surveillance to self-censorship, journalists are being subjected to increased threats from foreign governments, intelligence agencies, hacktivists and other actors who seek to limit or otherwise manipulate the information they possess. The notorious Edward Snowden stressed to the New York Times in an encrypted interview the importance of encryption for journalists: “It should be clear that [for an] unencrypted journalist to source communication is unforgivably reckless.” If journalists are communicating insecurely and without encryption, they put themselves, their sources and their reporting at unnecessary levels of risk. This sort of risky behavior may send the wrong message to potential key sources, like it almost did when Glenn Greenwald almost missed out on the landmark story of National Security Agency surveillance set out in the Snowden documents because he wasn’t communicating via encryption.

The aim of this how-to guide is to provide a clear path forward for journalists to protect the privacy of their reporting and the safety of their sources by employing secure communication methodologies that are proven to deliver.

How and When Should I Encrypt?

Understanding the basics of encryption and applying these tools and techniques to a journalist’s reporting is rapidly becoming the new normal when conducting investigative research and communicating with sources. It is, therefore, just as vital to know when and how to encrypt sensitive data as it is to understand the tools needed to do it.

In terms of when to encrypt, confidential information should be both encrypted “At-Rest” and “In-Transit” (or “In-Motion”). The term data-at-rest refers to data that is stored in a restful state on storage media. An example of this is when a file is located in a folder on a computer’s desktop or an email sitting in a user’s in-box. The term data-in-transit describes the change of data from being in a restful state to being in motion. An example of data-in-transit is when a file is being sent in an email or to a file server. With data-in-transit, the method of how the data is being transmitted from sender to receiver is the primary focus — not just the message. This is illustrated more effectively in the example of using a public wireless network in that if the network is not setup to use strong encryption to secure your connection, it may be possible for someone to intercept your communications. The use of encryption in this use case demonstrates how sensitive data, when not encrypted while in transit, can be compromised.

Methods for protecting Data-at-Rest and Data-in-Transit

Data-at-Rest can be protected through the following methods.

One suggested methodology is to encrypt the entire contents of the storage media, such as a hard drive on a computer or an external drive containing sensitive material. This method provides a higher level of security and can be advantageous in the event of a loss or theft of the storage media.

A second method – which should be ideally combined with the first method – is to encrypt the files, folders and email containing sensitive data using Pretty Good Privacy (or PGP) encryption. PGP encryption also has the added benefit of protecting data-in-transit, since the data stays encrypted while in motion

The name itself doesn’t inspire much confidence, but PGP or “Pretty Good Privacy” encryption has held strong as the preferred method by which individuals can communicate securely and encrypt files.

The concepts surrounding PGP and getting it operational can often seem complex, but this guide aims to make the process of getting started and using PGP clearer.

PGP Essentials: The Basics of Public and Private Keys

Before diving too deeply into the software setup needed to use PGP, it is important to understand a few key fundamentals of how PGP encryption works.

Within PGP and most public-key cryptography, each user has two keys that form something called a keypair. The reason the two keys are referred to as a keypair is that the two are mathematically linked.

The two keys used by PGP are referred to as a private key, which must always be kept secret, and a public key, which is available for distribution to people with whom the user chooses to communicate. Private keys are predominantly used in terms of email communications to decrypt emails from a sender. Public keys are designed for others to use to encrypt mail to the user.

In order to send someone an encrypted email, the sender must first have that recipient’s public key and have established a trusted relationship. Most encryption systems in terms of digital communications are based on establishing a system of trust between communicating parties. In terms of PGP, exchanging public keys is the first step in that process.

Key Management: Best Practices

Regardless of whether the user is using the OpenPGP standard with GNU Privacy Guard (GPG) or another derivative, there are a few useful points to consider in terms of encryption key management.

Private Keys are Private!

The most important concept to remember is that private Keys should be kept private. If someone compromises the user’s private key, all communications would be trivial to intercept.

Generating Strong Encryption Keys

When generating strong private/public keypairs there are some important things to remember:

  • Utilize Large Key Sizes and Strong Hashing Algorithms

It is recommended that when generating a keypair to make the key size at least 4096bit RSA with the SHA512 hashing algorithm. The encryption key is one of the most important pieces in terms of how the encryption operations are executed. The key is provided to present a unique “secret” input that becomes the basis for the mathematical operations executed by the encryption algorithm. A larger key size increases the strength of the cryptographic operations as it complicates the math due to the larger input value. Thus, it makes the encryption more difficult to break.

  • Set Encryption Key Expiration Dates

Choose an expiration date less than two years in the future.

  • Strong Passphrase

From a security perspective, the passphrase is usually the most vulnerable part of the encryption procedure. It is highly recommended that the user choose a strong passphrase.

In general terms, the goal should be to create a passphrase that is easy to remember and to type when needed, but very hard for someone else to guess.

A well-known method for creating strong, but easy to remember, passwords is referred to as ‘diceware,’. Diceware is a method for creating passphrases, passwords and other cryptographic variables using an ordinary die from a pair of dice as a random number generator. The random numbers generated from rolling dice are used to select words at random from a special list called the Diceware Word List. The recommendation when using diceware to create a PGP passphrase is to use a minimum of six words in your passphrase. An alternative method for creating and storing strong passphrases is to use a secure password manager such as KeePass.

Backing Up Private Keys

Although a journalist may be practicing good security by encrypting sensitive information, it would be devastating if a disruptive event – such as a computer hardware failure – caused them to lose their private key, as it would be near-impossible to decrypt without it. When backing up a private key, it is important to remember that is should only be stored on a trusted media, database or storage drive that is preferably encrypted.

Public Key Servers

There are several PGP Public Key servers that are available on the web. It is recommended for journalists upload a copy of their public keys to public key servers like hkp://pgp.met.edu to open their reporting up to potential sources who wish to communicate securely. By uploading a copy of the public key to the key server, anyone who wants to communicate can search by name, alias or email address to find the public key of the person their looking for and import it.

Validating Public Keys: Fingerprints

When a public key is received over an untrusted channel like the Internet, it is important to authenticate the public key using the key’s fingerprint. The fingerprint of an encryption key is a unique sequence of letters and numbers used to identify the key. Just like the fingerprints of two different people, the fingerprints of two different keys can never be identical. The fingerprint is the preferred method to identify a public key. When validating a public key using its fingerprint, it is important to validate the fingerprint over an alternative trusted channel.

For example, if a journalist receives a public key for a source on a public key server, it is important for them to validate the key by either communicating in person, calling them over secure phone or via an alternate communication channel. The purpose of key validation is to guarantee that the person being communicated with is the key’s true owner.

Adding PGP Public Key Fingerprint to Twitter

For journalists, its important to ensure sources can quickly validate their public keys that they retrieve from Public Key servers. A common method to convey a PGP public key to the public is to tweet the public key fingerprint and link to that tweet in to the bio.

Another method is to link directly to the PGP key on a public keyserver (like MIT’s) and to provide a copy of the key fingerprint in the bio, like this example with Barton Gellman.

1

GNU Privacy Guard: Encrypting Email with GPG

Hold up, stop and wait a minute: I thought the topic of discussion was PGP.

Is GPG a typo?

No. In fact, GPG (or the GNU Privacy Guard) is the GPL-licensed alternative to the PGP suite of encryption software. Both GPG and PGP utilize the same OpenPGP standard and are fully compatible with one another.

Getting Started with GPG: From Setup to Secure

A Step-by-Step Guide to Setting up GPGTools on Apple OSX

Tutorial Objectives

  • How to install and configure PGP on OS X
  • How to use PGP operationally

Install the GPGTools GPG Suite for OS X

This step is simple. Visit the GPGTools website and download the GPG Suite for OS X. Once downloaded, mount the DMG and run the “Install.”

2

Select all modules and, then, press “Install.”

3

Generating a New PGP key

When the installer completes, a new app called “GPG Keychain Access” will launch. A small window will pop up immediately and say: “GPG Keychain Access would like to access your contacts.” Press “OK.”

4

After pressing “OK,” a second window will pop up that says “Generate a new keypair.” Type in your name and your email address. Also, check the box that says “Upload public key after generation.” The window should look like this:

5

Expand the “Advanced options” section. Increase the key length to 4096 for extra security. Reduce the “Expiration date” to 1 year from today. The window should look like this:

6

Press “Generate key.”

After pressing “Generate key,” the “Enter passphrase” window will pop up.

Okay, now this is important

The Importance of Good Passphrases

The entire PGP encryption process will rest on the passphrase that is chosen.

First and foremost: Don’t use a passphrase that other people know! Pick something only you will know and others can’t guess. Once you have a passphrase selected, don’t give it to other people.

Second, do not use a password, but rather a passphrase — a sentence. For example, “ILoveNorthwesternU!” is less preferable than “I graduated from Northwestern U in 1997 and it’s the Greatest U on Earth?!” The longer your passphrase, the more secure your key.

Lastly, make sure your passphrase is something you can remember. Since it is long, there is a chance that you might forget it. Don’t. The consequences to that will be dire. Make sure you can remember your passphrase. In general there are several methodologies by which you can employ to store your passphrase to ensure its safekeeping. One such method would be to make use of a password manager like “KeePass”, an open source encrypted password database that securely stores your passwords.

Once you decide on your passphrase, type it in the “Enter passphrase” window. Turn on the “Show typing” option, so you can be 100% sure that you’ve typed in your passphrase without any spelling errors. When everything looks good, press “OK:”

7

You will be asked to reenter the passphrase. Do it and press “OK:”

8

You will then see a message saying, “We need to generate a lot of random bytes…” Wait for it to complete:

9

Your PGP key is ready to use:

PGPkeyready

Setup PGP Quick Access Shortcuts

Open System Preferences, select the “Keyboard” pane and go to the “Shortcuts” tab.

On the left hand side, select “Services.” Then, on the right, scroll down to the subsection “Text” and look for a bunch of entries that start with “OpenPGP:”

Go through each OpenPGP entry and check each one.

10

Bravo! You’re now done setting up PGP with OpenGPG on OS X!

Now, let’s discuss how to use it.

How to send a secure email

To secure an email in PGP, you will sign and encrypt the body of the message. You can just sign or just encrypt, but combining both operations will result in optimum security.

Conversely, when you receive a PGP-secured email, you will decrypt and verify it. This is the “opposite” of signing and encrypting.

Start off by writing an email:

  1. Select the entire body of the email and “Right Click and Go to Services -> OpenPGP: Sign” to sign it.
  1. Open the GPG Keychain Access app. Select “Lookup Key” and type in the email address of the person you are sending your message to. This will search the public keyserver for your source’s PGP key.

If your source has more than one key, select his most recent one.

You will receive a confirmation that your source’s key was successfully downloaded. You can press “Close.”

You will now see your source’s public key in your keychain.

  1. You can now quit GPG Keychain Access and return to writing the email.
  1. Select the entire body of the email (everything, not just the part you wrote) and “Right Click and Go to Services -> OpenPGP: Encrypt” to encrypt it. A window will pop up, asking you who the recipient is. Select the source’s public key you just downloaded and press “OK.”
  1. Your entire message is now encrypted! You can press “Send” safely.

As a reminder, you will only need to download your source’s public key once. After that, it will always be available in your keychain until the key expires.

How to receive a secure email

With our secure message sent, the recipient will now want to decipher it. For the sake of this step, I will pretend that I am the recipient.

I have received the message:

email

  1. Copy the entire body, from, and including, “—–BEGIN PGP MESSAGE—“, to, and including, “—–END PGP MESSAGE—“. Open a favorite text editor, and paste it:

email2

  1. Select the entire text, “Right click and select Services – OpenPGP – Decrypt” – to decrypt the message. You will immediately be prompted for your PGP passphrase. Type it in and press “OK:”

email3

  1. You will now see the decrypted message!

email4Next, you can verify the signature.

  1. Highlight the entire text and “Right Click and Go to Services -> OpenPGP: Verify”. You will see a message confirming the verification.
  2. Press “OK.”

Setting up GPG4Win on Windows

Tutorial Objectives

  • How to install and configure PGP on a PC
  • How to use PGP operationally

Installing the GPG4Win GPG Suite

This step is simple.

  1. Visit the GPG4win website and download the GPG Suite for OS X.
  2. Once downloaded, run the “Install”.

GPG1

Download Install File

GPG2

  1. Double-Click on the downloaded file to begin the installation wizard.
  2. Select the components to install, but keep it simple by installing all components except for Claws Mail.
  3. Select “Next”

A brief description of each component:

gpg3

  • Kleopatra – a certificate manager
  • GPA – another certificate manger
  • GpgOL  – a plugin for Outlook
  • GPGEX – an extension for Windows Explorer
  • Claw-Mail – a lightweight email program with GnuPG support built-in
  • Gpg4win Compendium  – a manual
  1. Select desired preferences and click “Nextgpg5

5. Click “Finish” to exit the install wizard.

Setting up GPG4Win using Thunderbird and Enigmail

Enigmail, a play on words originating from the Enigma machine used to encrypt secret messages during World War I, is a security extension or add-on to the Mozilla Thunderbird Email software. It enables you to write and receive email messages signed and/or encrypted with the OpenPGP standard. Enigmail provides a more simplified method for sending and receiving encrypted email communications. This step-by-step guide will help you get started installing and configuring the extension.

  1. Open Thunderbird and navigate to the Add-Ons Manager under the “Tools” menu.
  2. In the search dialog box, type “Enigmail.”Now, a list of Add-Ons will be available.
  3. Select the Enigmail add-on from the list.
  4. Click the “Install” button.

ENIG1

 

  1. There should now be a message indicating, “Enigmail will be installed after you restart Thunderbird.” Proceed with the installation by Clicking on the words “Restart Now

ENIG2

 

  1. After the Thunderbird application restarts, Enigmail should look like the image below. Proceed with configuring the add-on by Selecting Enigmail from the list.

ENIG3

  1. Select “I prefer a standard configuration (recommended for beginners)” and click “Next”.

Generating a Public/Private Keypair.

  1. Select the Account to generate the keys for.
  2. Enter in a strong passphrase
    • If the passphrase isn’t strong enough, the Passphrase quality meter will indicate that with a red- or yellow-colored bar (vs. the green one shown in the image below).
  3. Re-enter the strong passphrase to confirm.

keypair1

 

The Key Generation Process will generate a series of data based on random activity and assign it to the randomness pool for which to generate the keypair.

keypair2

 

 

  1. Save the revocation key to a trusted and safe, separate device (storage media)!

The revocation certificate can be used to invalidate a public key in the event of a loss of a secret (private) key.

keypair3

 

Key Management / View Key in Enigmail

management1

  1. Change the expiration date (suggested <2 years)

management2

 

  1. Upload Key To Public Keyserver (like hkp://pgp.mit.edu).

Public Keyserver Lookup

Look up the Public Keys of other people on public keyserver directly from within Enigmail.

  1. Select “Search for Keys” from the “Keyserver” dropdown menu.
  2. Enter in the Email Address or <FirstName><space><LastName> of the persons name that is being looked up.

A good test for this function is to try searching for Glenn Greenwald.

management3

 

Notice how many active public keys Glenn Greenwald has. This could be intentional, but it can also happen when setting up keys on a new device or email client and 1. Forgot the private key passphrase 2. Lost the key revocation file or forgotten the passphrase to unlock it.

The problem is that anyone contacting the user for the first time will have to figure out which key is the correct one to use. It also becomes a security risk because any one of those unused, but active, keys could be compromised, and result in adversaries accessing communications.

MORAL Of THE STORY: Set an expiration date, manage the revocation key file and manage passphrases.

Revoking a Key

  1. Right-click on the key and click on Key Properties.

revoke1

 

  1. At the bottom of the window Click on the ”Select Action” dropdown menu and Select “Revoke Key.”

revoke2

  1. A dialog box will pop up asking for the Private Key’s unique passphrase. Enter the passphrase for the key that is being revoked.

revoke3

  1. Once completed, the user will receive an ‘Enigmail Alert’ indicating that the key has been revoked. The alert warns the user that ‘if your key is available on a keyserver, it is recommended to re-upload it, so that others can see the revocation’. It is important to update the public keyservers to ensure that sources are aware of revoked keys and new keys on each account.

revoke4

 

Operationalizing GPG: A Pragmatic Approach

What do encrypt, decrypt, sign, and verify mean?

  • Encrypt takes the user’s secret key and the recipient’s public key, and jumbles a message. The jumbled text is secure from prying eyes. The sender always encrypts.
  • Decrypt takes an encrypted message, combined with the user’s secret key and the sender’s public key, and descrambles it. The recipient always decrypts. Encrypt and decrypt can be thought of as opposites.
  • Signing a message lets the receiver know that the user (the person with the user’s email address and public key) actually authored the message. Signing also provides additional cryptographic integrity by ensuring that no one has interfered with the encryption. The sender always signs a message.
  • Verifying a message is the process of analyzing a signed message to determine if the signature is true. Signing and verifying can be thought of as opposites.

When should someone sign a message? When should they encrypt?

If it is unnecessary to sign and encrypt every outgoing email, when should the user sign? And when should the user encrypt? And when should the user do nothing?

There are three sensible choices when sending a message:

  • Do nothing. If the contents of the email are public (non-confidential), and the recipient does not care whether the user or an impostor sent the message, then do nothing. The user can send the message as they’ve sent messages their entire life: in plain text.
  • Sign, but don’t encrypt. If the contents of the email are public (non-confidential), but the recipient wants assurance that the suspected sender (and not an impostor) actually sent the message, then the user should sign but not encrypt. Simply follow the tutorial above, skipping over the encryption and decryption steps.
  • Sign and encrypt. If the contents of the email are confidential, sign and encrypt. It does not matter whether the recipient wants assurance that the user sent the message; always sign when encrypting.

For a majority of emails that the user may send, encryption is just not always necessary. The remainder of the time, the user should sign and encrypt.

Whenever there is confidential information — such as sensitive reporting information, source address and name information, credit card numbers, bank numbers, social security numbers, corporate strategies or intellectual property — users should sign and encrypt. In terms of confidential information, users should err on the side of caution and sign and encrypt gratuitously rather than doing nothing and leaking sensitive information. As for the third option, users can sign, but do not encrypt.

Best Practices in Information Security

Despite best practices regarding the operational usage of PGP encryption, a disregard for the fundamentals of information security can still put a journalist’s communications in peril. It doesn’t matter how strong the encryption is if the user’s laptop has already been compromised, and is only a matter of time before the journalists’ encrypted communication method is in jeopardy.

Below is a short list of some high-level information security best practices. For more information on this subject, see Medill’s National Security Zone Digital Security Basics for Journalists.

  • Good password management

Journalists should not only create strong passwords, but also avoid using the same password for anything else. Consider using a password manager.

  • Keep software up to date.

Update software frequently. This helps thwart a majority of attacks to your system.

  • End-Point Security Software

Make use of antivirus and anti-malware software.

  • Be wary of odd emails and accompanying attachments.

When in doubt, don’t click. The goal of most phishing attacks is to either get you to download a file or send you to a malicious website to steal your username and password. If it doesn’t seem right or doesn’t make sense, try reaching out to the person via an alternate communication method before clicking.

  • Stay away from pirated software.

Nothing is truly free, as these software packages can often come with unintended consequences and malicious code packaged with them.

GPG Alternatives

  • CounterMail: a secure online email service utilizing PGP without the complexity of complicated key management.
  • DIMEDark Internet Mail Environment: a new approach and potential game-changer to secure and private email communications.

Additional Resources

Glossary of Terms

Keyword Definition
Ciphertext Ciphertext is encrypted text. Plaintext is what you have before encryption, and ciphertext is the encrypted result. The term cipher is sometimes used as a synonym for ciphertext, but it more properly means the method of encryption rather than the result.
Data-at-Rest Data at rest is a term that is sometimes used to refer to all data in computer storage while excluding data that is traversing a network or temporarily residing in computer memory to be read or updated.
Data-In-Transit Data in Transit is defined as data no longer at a restful state in storage and in motion.
Digital Signature A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document.
Encryption Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties.
Fingerprint In public-key cryptography, a public key fingerprint is a short sequence of bytes used to authenticate or look up a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key.
Key In cryptography, a key is a variable value that is applied using an algorithm to a string or block of unencrypted text to produce encrypted text, or to decrypt encrypted text.
Password Manager A password manager is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password which grants the user access to their entire password database.
Private Key In cryptography, a private or secret key is an encryption/decryption key known only to the party or parties that exchange secret messages. In traditional secret key cryptography, a key would be shared by the communicators so that each could encrypt and decrypt messages. The risk in this system is that if either party loses the key or it is stolen, the system is broken. A more recent alternative is to use a combination of public and private keys. In this system, a public key is used together with a private key.
Public Key In cryptography, a public key is a value provided by some designated authority as an encryption key that, combined with a private key derived from the public key, can be used to effectively encrypt messages and digital signatures.

Term Definitions provided by TechTarget.com, Webopedia.com, and Wikipedia.org

]]>
FOIA update: USDB releases Manual for the Guidance of Inmates (USDB Regulation 600-1, Nov. 2013) http://nationalsecurityzone.medill.northwestern.edu/blog/2015/04/27/foia-update-usdb-releases-manual-for-the-guidance-of-inmates-usdb-regulation-600-1-nov-2013/ Mon, 27 Apr 2015 19:00:32 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21584 Continue reading ]]> WASHINGTON — On Monday, the United States Disciplinary Barracks’ Directorate of Inmate Administration released “USDB Regulation 600-1, Nov. 2013” entitled “Manual for the Guidance of Inmates” to the Medill National Security Journalism Initiative in response to an April 17 Freedom of Information Act request.

The 141-page document serves as the official rulebook for the treatment and behavior of inmates held at the military prison (including WikiLeaks firestarter Chelsea Manning) and addresses everything from media contact with inmates to rules regarding their appearance and hygiene.

The FOIA request was intended to increase transparency regarding the U.S. Army’s regulation of USDB inmates held at Fort Leavenworth, to better inform the press about rules regarding their contact with prisoners and to shed light on the status of civil liberties within the prison’s walls.

You can view the entire document below:

]]>
Demonstrators back Iranian dissidents in front of White House http://nationalsecurityzone.medill.northwestern.edu/blog/2015/04/20/demonstrators-back-iranian-dissidents-in-front-of-white-house/ Mon, 20 Apr 2015 13:29:08 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21424 Continue reading ]]> Protestors rallied outside the White House on Tuesday, calling for the U.S. to protect 2,500 Mojahedin-e-Khalq (MEK) at Camp Liberty in Iraq. (Mary Lee/MEDILL)

Protestors rallied outside the White House on Tuesday, calling for the U.S. to protect 2,500 Mojahedin-e-Khalq (MEK) at Camp Liberty in Iraq. (Mary Lee/MEDILL)

WASHINGTON — In a meeting with the Iraqi Prime Minister, President Obama pledged $200 million in humanitarian aid Tuesday for Iraqis displaced by fighting with the Islamic State.

Not part of the agenda was the fate of approximately 2,500 members of the Mujahedeen-e-Khalq, or MEK, an exiled Iranian dissident group stranded at the former U.S. military base Camp Liberty in Baghdad.

In front of the White House on rain-drenched Pennsylvania Avenue, approximately 200 Iranian Americans, former U.S. military officers, and family members of the MEK rallied to call on Obama and Iraqi Prime Minister Haider al-Abadi to guarantee the safety and security of the group.

“The MEK worked very, very hard to help protect my soldiers and Marines,” said retired U.S. Army Col. Wes Martin, who worked closely with the MEK at Camp Ashraf, Iraq during his 2003-2004 deployment.

“I know dozens of my troops were able to come back home to their families because of the work they did; we owe them,” Martin said.

White House security promptly forced the crowd beyond  Lafayette Park, across the street from the executive mansion- to continue the rally a block away.

The MEK faces a dire situation at Camp Liberty, with minimal access to essential services such as food, water and medical care and periodic attacks by pro-Iranian militias.

Following the 2003 invasion of Iraq, the U.S. government pledged to support the group despite its official designation as a Foreign Terrorist Organization and its previous alliance with Saddam Hussein. At the time, the U.S.  declared MEK members “protected persons” under the Geneva Conventions.

In 2009, however, the U.S. transferred care of the MEK to the Iraqi government of Prime Minister Nouri al-Maliki, whose preferential sectarian policies helped precipitate the current crisis with the Islamic State.

“With the deteriorating situation in Iraq, the rise of ISIS and the ascendancy of pro-Iranian militia groups, the residents of Camp Liberty are under enormous danger,” said Ali Savavi, representative for the National Council of Resistance of Iran.

Al-Abadi’s designation as Iraqi Prime Minister in August 2014 raised new hopes that the residents of Camp Liberty would begin to receive Iraqi government support, though this has yet to materialize.

The plight of the MEK has attracted the attention of several prominent Americans.

In a letter to al-Abadi dated April 8, 2015, 34 former senior US government officials and military leaders called for al-Abadi to “personally intervene to stop the continued harassment of the residents [of Camp Liberty] by individuals in charge of security in the Camp, and the impeding of access to medical care.”

Signatories to the letter include former U.S. Army Chief of Staff George Casey, former CIA and NSA director Gen. Michael Hayden, former New York City Mayor Rudy Giuliani, and former FBI director Louis Freeh.

“As of this writing,” the letter notes, “24 Camp Liberty residents have died because they were prevented from getting timely access to needed medical care, and 1,300 are still coping with injuries from past rocket attacks.”

The MEK’s designation as a terrorist organization was rescinded by the State Department in September 2012. The group fled Iran in the wake of the 1979 Islamic Revolution and has been in Iraq ever since.

]]>
Long-ignored government practice lets IRS skirt fourth and fifth amendments http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/long-ignored-government-practice-lets-irs-skirt-fourth-and-fifth-amendments/ Thu, 19 Mar 2015 14:58:20 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21101 Continue reading ]]> WASHINGTON — When Jeffrey Hirsch went to deposit money at his bank one morning in May 2012, his whole life changed. The teller told him the entire contents of his account—nearly half a million dollars—had been seized by the Internal Revenue Service.

Hirsch, a small business owner from Long Island, was never accused of a crime. Yet he would not see his $446,651.11 again for nearly three years due to the IRS’s civil asset forfeiture program, which allows the agency to seize money without filing criminal charges and keep it, in many cases, indefinitely.

Under federal law, banks are required to report cash deposits exceeding $10,000 to the Treasury Department, and account holders are forbidden from “structuring” deposits smaller than the $10,000 threshold to avoid the reporting requirement. If the IRS suspects someone is “structuring” their deposits, it can take their money without filing a criminal complaint.

The program was designed to help the federal government intercept the drug trade during the 1980s “war on drugs.” But the IRS has increasingly gone after small business owners and others who make frequent, small deposits.

“These laws were intended to target drug dealers and other hardened criminals engaged in money laundering or other criminal activity,” said Robert Johnson, Hirsch’s attorney. “In practice, however, the IRS enforces the structuring laws against innocent Americans who have no idea that depositing less than $10,000 in the bank could possibly get them in trouble with the law.”

Hirsch owns and operates Bi-County Distributors, a small business that distributes products to convenience stores on Long Island. The company had multiple accounts closed due its frequent cash deposits, which—when more than $10,000—require burdensome paperwork from the bank. Hirsch’s accountant recommended staying below the limit, so Hirsch often made cash deposits under $10,000.

On the basis of civil asset forfeiture, the IRS seized Hirsch’s money in May 2012 and held it for more than two years without issuing any charges against him. Twice, Hirsch said, the government offered settlements that would require him to surrender “a substantial portion” of the money.

“I rejected these offers as I felt that I had done nothing wrong and should not be forced to give up my hard-earned money for no reason,” Hirsch said. “I lived with that stress for over two-and-a-half years.”

Hirsch said the seizure drove his business “to the edge of insolvency,” forcing him to take extended lines of credit. In an attempt to demonstrate his innocence, he paid an accounting firm $25,000 to audit his own business.

“Government officials did not question the results of the audit and did not suggest that they were in possession of any evidence of wrongdoing by anyone associated with the business,” Hirsch said. “Nonetheless, the government still refused to return the money.”

To get seized funds back, property owners have to go to court against the Department of Justice—often a lengthy and expensive process.

In January, after a front-page story on civil asset forfeiture was published in The New York Times, the government agreed to return Hirsch’s money.

“In this country, people are supposed to be innocent until proven guilty. But, in the eyes of the IRS, I was guilty until proven innocent—forced to prove my own innocence to get my property back,” Hirsch said. “No other American should be put through the nightmare I experienced.”

But Hirsch’s case is not unique.

Documents obtained by the Institute for Justice, a national law firm that litigates property rights, show that the IRS conducted more than 2,500 of these seizures from 2005 to 2012.

In that seven-year period, the agency collected more than $242 million in suspected structuring violations. At least a third of those seizures “arose from nothing more than a series of cash transactions under $10,000, with no other criminal activity alleged,” according to the report.

And under federal law, the IRS gets to keep this money. Funds seized through civil forfeiture are deposited in the Treasury Forfeiture Fund, which is available for use by the IRS without any appropriation by Congress.

“Shockingly, the government uses the money that it takes through civil forfeiture to pad the budgets of the very agencies that seize the money,” said Johnson, who also works for the Institute for Justice. “The result is a legal system in which the deck is stacked against ordinary Americans.”

While the issue went largely unnoticed until late last year, lawmakers on Capitol Hill—both Republican and Democrat—are now looking for change from the long-embattled agency.

The House Oversight Subcommittee’s first hearing of the new Congress called on IRS Commissioner John Koskinen to testify. He was met with harsh criticism.

Rep. Mike Kelly, R-Pa., went so far as to compare civil asset forfeiture to torture. “You talk about waterboarding, this is waterboarding at its worst,” he said.

The IRS has promised to change. Koskinen apologized to the small business owners at the hearing and said the agency would no longer pursue civil seizure on structuring grounds “unless there are exceptional circumstances.”

“We’ve changed the policy from our standpoint,” Koskinen said.

But Johnson isn’t satisfied with the IRS’ promise.

“The only surefire reform of civil forfeiture is to eliminate the practice entirely, and to require all forfeiture to proceed under the criminal laws,” Johnson said. “Short of that, the IRS policy change—limiting application of the structuring laws to funds derived from illegal sources—should be codified in statute, and without any open-ended loophole for ‘exceptional’ cases.”

Many lawmakers also aren’t satisfied with the IRS’s “exceptional circumstances” standard.

In January, Sen. Rand Paul, R-Ky., and Rep. Tim Walberg, R-Mich., introduced a bill that would curb IRS forfeiture abuses by stopping the IRS from seizing funds without criminal charges and make it simpler and faster for innocent property owners to get their money back.

The bill is only in the primary stages of the legislative process, but some sort of remedial legislation is likely to receive support.

“It is wrong without any criminal evidence to seize anyone’s property,” Kelly said. “This flies in the face of everything we are as a country.”

]]>