Tag Archives: Aaron Rinehart

Experts: Commercial airliners need air gap for cyberprotection (video)

WASHINGTON – At a time when cybersecurity is at the forefront of many Americans’ minds, that manufacturing companies are producing commercial planes that experts say are more likely to be hacked than previous versions.

Recently a cybersecurity expert was pulled off a United Airlines flight after tweeting that he had the ability to access the plane’s systems, such as control of the oxygen masks on board.

The expert, Chris Roberts, was then taken into FBI custody and questioned for hours.

While Roberts says he was not attempting to harm anyone on board, the event drew attention worldwide to possible gaps in security onboard commercial flights with in-flight Wi-Fi.

According to a recent report by the Government Accountability Office, there is more connectivity in the Boeing 787 and Airbus A350 between cockpit and cabin Wi-Fi systems than in previous models.

Aaron Rinehart, CEO of cybersecurity company Testbed Inc. and a former security expert for the U.S. Transportation Security Administration, says that this is a step backward in terms of security and safety.

 

Rinehart says cockpit systems should be air gapped, meaning that the system is physically isolated from all unsecured computer networks, including the in-flight entertainment system onboard. This disconnects the cockpit from outside systems to prevent hackers from accessing it.

“It doesn’t seem to me either logical or rational to combine in-flight Wi-Fi with the avionics systems,” Rinehart said.

Why anyone would combine these systems and take the extra risk isn’t clear.

“My guess would be they want to combine the signal and maybe just either save money or save the amount of power because all those antennas require power,” he said.

“If there’s multiple antennas [putting off] separate signals, it may require more power for that… which to me represents a considerable threat.”

In its report, the GAO found that firewalls are currently protecting avionics systems on planes from hacks, but, like any software, firewalls don’t always prevent attacks on networked systems.

Rinehart says the systems should remain completely separate to avoid problems, including downed airliners.

What do the airlines say about this, especially United, since they’re the ones that pulled Roberts off the plane?

Although the argument can be made that it is difficult to hack into a plane’s avionics system and launch such an attack, experts say the threat of malicious activities grows along with increased connectivity.

For example, Macworld recently reported that American Airlines’ fleet of Boeing 737 aircrafts experienced a glitch in an iPad app used by pilots in their cockpits. This caused all of the fleet’s iPads to go dead at once and leaving passengers delayed for hours at airports across the country.

According to Rinehart, if it were decided that all systems needed to be air gapped, planes can be retrofitted with these systems, but it is easier to design with air gapping in mind in the beginning while factoring in the cost.

“We’ve already had enough [problems] in the past two years,” he said. “Our regulatory authorities don’t need to contribute to that.”

A How-to Guide for Encrypting and Protecting Digital Communications using PGP

BY AARON RINEHART FOR THE MEDILL NSJI

“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

— Edward Snowden, answering questions live on the Guardian’s website

From surveillance to self-censorship, journalists are being subjected to increased threats from foreign governments, intelligence agencies, hacktivists and other actors who seek to limit or otherwise manipulate the information they possess. The notorious Edward Snowden stressed to the New York Times in an encrypted interview the importance of encryption for journalists: “It should be clear that [for an] unencrypted journalist to source communication is unforgivably reckless.” If journalists are communicating insecurely and without encryption, they put themselves, their sources and their reporting at unnecessary levels of risk. This sort of risky behavior may send the wrong message to potential key sources, like it almost did when Glenn Greenwald almost missed out on the landmark story of National Security Agency surveillance set out in the Snowden documents because he wasn’t communicating via encryption.

The aim of this how-to guide is to provide a clear path forward for journalists to protect the privacy of their reporting and the safety of their sources by employing secure communication methodologies that are proven to deliver.

How and When Should I Encrypt?

Understanding the basics of encryption and applying these tools and techniques to a journalist’s reporting is rapidly becoming the new normal when conducting investigative research and communicating with sources. It is, therefore, just as vital to know when and how to encrypt sensitive data as it is to understand the tools needed to do it.

In terms of when to encrypt, confidential information should be both encrypted “At-Rest” and “In-Transit” (or “In-Motion”). The term data-at-rest refers to data that is stored in a restful state on storage media. An example of this is when a file is located in a folder on a computer’s desktop or an email sitting in a user’s in-box. The term data-in-transit describes the change of data from being in a restful state to being in motion. An example of data-in-transit is when a file is being sent in an email or to a file server. With data-in-transit, the method of how the data is being transmitted from sender to receiver is the primary focus — not just the message. This is illustrated more effectively in the example of using a public wireless network in that if the network is not setup to use strong encryption to secure your connection, it may be possible for someone to intercept your communications. The use of encryption in this use case demonstrates how sensitive data, when not encrypted while in transit, can be compromised.

Methods for protecting Data-at-Rest and Data-in-Transit

Data-at-Rest can be protected through the following methods.

One suggested methodology is to encrypt the entire contents of the storage media, such as a hard drive on a computer or an external drive containing sensitive material. This method provides a higher level of security and can be advantageous in the event of a loss or theft of the storage media.

A second method – which should be ideally combined with the first method – is to encrypt the files, folders and email containing sensitive data using Pretty Good Privacy (or PGP) encryption. PGP encryption also has the added benefit of protecting data-in-transit, since the data stays encrypted while in motion

The name itself doesn’t inspire much confidence, but PGP or “Pretty Good Privacy” encryption has held strong as the preferred method by which individuals can communicate securely and encrypt files.

The concepts surrounding PGP and getting it operational can often seem complex, but this guide aims to make the process of getting started and using PGP clearer.

PGP Essentials: The Basics of Public and Private Keys

Before diving too deeply into the software setup needed to use PGP, it is important to understand a few key fundamentals of how PGP encryption works.

Within PGP and most public-key cryptography, each user has two keys that form something called a keypair. The reason the two keys are referred to as a keypair is that the two are mathematically linked.

The two keys used by PGP are referred to as a private key, which must always be kept secret, and a public key, which is available for distribution to people with whom the user chooses to communicate. Private keys are predominantly used in terms of email communications to decrypt emails from a sender. Public keys are designed for others to use to encrypt mail to the user.

In order to send someone an encrypted email, the sender must first have that recipient’s public key and have established a trusted relationship. Most encryption systems in terms of digital communications are based on establishing a system of trust between communicating parties. In terms of PGP, exchanging public keys is the first step in that process.

Key Management: Best Practices

Regardless of whether the user is using the OpenPGP standard with GNU Privacy Guard (GPG) or another derivative, there are a few useful points to consider in terms of encryption key management.

Private Keys are Private!

The most important concept to remember is that private Keys should be kept private. If someone compromises the user’s private key, all communications would be trivial to intercept.

Generating Strong Encryption Keys

When generating strong private/public keypairs there are some important things to remember:

  • Utilize Large Key Sizes and Strong Hashing Algorithms

It is recommended that when generating a keypair to make the key size at least 4096bit RSA with the SHA512 hashing algorithm. The encryption key is one of the most important pieces in terms of how the encryption operations are executed. The key is provided to present a unique “secret” input that becomes the basis for the mathematical operations executed by the encryption algorithm. A larger key size increases the strength of the cryptographic operations as it complicates the math due to the larger input value. Thus, it makes the encryption more difficult to break.

  • Set Encryption Key Expiration Dates

Choose an expiration date less than two years in the future.

  • Strong Passphrase

From a security perspective, the passphrase is usually the most vulnerable part of the encryption procedure. It is highly recommended that the user choose a strong passphrase.

In general terms, the goal should be to create a passphrase that is easy to remember and to type when needed, but very hard for someone else to guess.

A well-known method for creating strong, but easy to remember, passwords is referred to as ‘diceware,’. Diceware is a method for creating passphrases, passwords and other cryptographic variables using an ordinary die from a pair of dice as a random number generator. The random numbers generated from rolling dice are used to select words at random from a special list called the Diceware Word List. The recommendation when using diceware to create a PGP passphrase is to use a minimum of six words in your passphrase. An alternative method for creating and storing strong passphrases is to use a secure password manager such as KeePass.

Backing Up Private Keys

Although a journalist may be practicing good security by encrypting sensitive information, it would be devastating if a disruptive event – such as a computer hardware failure – caused them to lose their private key, as it would be near-impossible to decrypt without it. When backing up a private key, it is important to remember that is should only be stored on a trusted media, database or storage drive that is preferably encrypted.

Public Key Servers

There are several PGP Public Key servers that are available on the web. It is recommended for journalists upload a copy of their public keys to public key servers like hkp://pgp.met.edu to open their reporting up to potential sources who wish to communicate securely. By uploading a copy of the public key to the key server, anyone who wants to communicate can search by name, alias or email address to find the public key of the person their looking for and import it.

Validating Public Keys: Fingerprints

When a public key is received over an untrusted channel like the Internet, it is important to authenticate the public key using the key’s fingerprint. The fingerprint of an encryption key is a unique sequence of letters and numbers used to identify the key. Just like the fingerprints of two different people, the fingerprints of two different keys can never be identical. The fingerprint is the preferred method to identify a public key. When validating a public key using its fingerprint, it is important to validate the fingerprint over an alternative trusted channel.

For example, if a journalist receives a public key for a source on a public key server, it is important for them to validate the key by either communicating in person, calling them over secure phone or via an alternate communication channel. The purpose of key validation is to guarantee that the person being communicated with is the key’s true owner.

Adding PGP Public Key Fingerprint to Twitter

For journalists, its important to ensure sources can quickly validate their public keys that they retrieve from Public Key servers. A common method to convey a PGP public key to the public is to tweet the public key fingerprint and link to that tweet in to the bio.

Another method is to link directly to the PGP key on a public keyserver (like MIT’s) and to provide a copy of the key fingerprint in the bio, like this example with Barton Gellman.

1

GNU Privacy Guard: Encrypting Email with GPG

Hold up, stop and wait a minute: I thought the topic of discussion was PGP.

Is GPG a typo?

No. In fact, GPG (or the GNU Privacy Guard) is the GPL-licensed alternative to the PGP suite of encryption software. Both GPG and PGP utilize the same OpenPGP standard and are fully compatible with one another.

Getting Started with GPG: From Setup to Secure

A Step-by-Step Guide to Setting up GPGTools on Apple OSX

Tutorial Objectives

  • How to install and configure PGP on OS X
  • How to use PGP operationally

Install the GPGTools GPG Suite for OS X

This step is simple. Visit the GPGTools website and download the GPG Suite for OS X. Once downloaded, mount the DMG and run the “Install.”

2

Select all modules and, then, press “Install.”

3

Generating a New PGP key

When the installer completes, a new app called “GPG Keychain Access” will launch. A small window will pop up immediately and say: “GPG Keychain Access would like to access your contacts.” Press “OK.”

4

After pressing “OK,” a second window will pop up that says “Generate a new keypair.” Type in your name and your email address. Also, check the box that says “Upload public key after generation.” The window should look like this:

5

Expand the “Advanced options” section. Increase the key length to 4096 for extra security. Reduce the “Expiration date” to 1 year from today. The window should look like this:

6

Press “Generate key.”

After pressing “Generate key,” the “Enter passphrase” window will pop up.

Okay, now this is important

The Importance of Good Passphrases

The entire PGP encryption process will rest on the passphrase that is chosen.

First and foremost: Don’t use a passphrase that other people know! Pick something only you will know and others can’t guess. Once you have a passphrase selected, don’t give it to other people.

Second, do not use a password, but rather a passphrase — a sentence. For example, “ILoveNorthwesternU!” is less preferable than “I graduated from Northwestern U in 1997 and it’s the Greatest U on Earth?!” The longer your passphrase, the more secure your key.

Lastly, make sure your passphrase is something you can remember. Since it is long, there is a chance that you might forget it. Don’t. The consequences to that will be dire. Make sure you can remember your passphrase. In general there are several methodologies by which you can employ to store your passphrase to ensure its safekeeping. One such method would be to make use of a password manager like “KeePass”, an open source encrypted password database that securely stores your passwords.

Once you decide on your passphrase, type it in the “Enter passphrase” window. Turn on the “Show typing” option, so you can be 100% sure that you’ve typed in your passphrase without any spelling errors. When everything looks good, press “OK:”

7

You will be asked to reenter the passphrase. Do it and press “OK:”

8

You will then see a message saying, “We need to generate a lot of random bytes…” Wait for it to complete:

9

Your PGP key is ready to use:

PGPkeyready

Setup PGP Quick Access Shortcuts

Open System Preferences, select the “Keyboard” pane and go to the “Shortcuts” tab.

On the left hand side, select “Services.” Then, on the right, scroll down to the subsection “Text” and look for a bunch of entries that start with “OpenPGP:”

Go through each OpenPGP entry and check each one.

10

Bravo! You’re now done setting up PGP with OpenGPG on OS X!

Now, let’s discuss how to use it.

How to send a secure email

To secure an email in PGP, you will sign and encrypt the body of the message. You can just sign or just encrypt, but combining both operations will result in optimum security.

Conversely, when you receive a PGP-secured email, you will decrypt and verify it. This is the “opposite” of signing and encrypting.

Start off by writing an email:

  1. Select the entire body of the email and “Right Click and Go to Services -> OpenPGP: Sign” to sign it.
  1. Open the GPG Keychain Access app. Select “Lookup Key” and type in the email address of the person you are sending your message to. This will search the public keyserver for your source’s PGP key.

If your source has more than one key, select his most recent one.

You will receive a confirmation that your source’s key was successfully downloaded. You can press “Close.”

You will now see your source’s public key in your keychain.

  1. You can now quit GPG Keychain Access and return to writing the email.
  1. Select the entire body of the email (everything, not just the part you wrote) and “Right Click and Go to Services -> OpenPGP: Encrypt” to encrypt it. A window will pop up, asking you who the recipient is. Select the source’s public key you just downloaded and press “OK.”
  1. Your entire message is now encrypted! You can press “Send” safely.

As a reminder, you will only need to download your source’s public key once. After that, it will always be available in your keychain until the key expires.

How to receive a secure email

With our secure message sent, the recipient will now want to decipher it. For the sake of this step, I will pretend that I am the recipient.

I have received the message:

email

  1. Copy the entire body, from, and including, “—–BEGIN PGP MESSAGE—“, to, and including, “—–END PGP MESSAGE—“. Open a favorite text editor, and paste it:

email2

  1. Select the entire text, “Right click and select Services – OpenPGP – Decrypt” – to decrypt the message. You will immediately be prompted for your PGP passphrase. Type it in and press “OK:”

email3

  1. You will now see the decrypted message!

email4Next, you can verify the signature.

  1. Highlight the entire text and “Right Click and Go to Services -> OpenPGP: Verify”. You will see a message confirming the verification.
  2. Press “OK.”

Setting up GPG4Win on Windows

Tutorial Objectives

  • How to install and configure PGP on a PC
  • How to use PGP operationally

Installing the GPG4Win GPG Suite

This step is simple.

  1. Visit the GPG4win website and download the GPG Suite for OS X.
  2. Once downloaded, run the “Install”.

GPG1

Download Install File

GPG2

  1. Double-Click on the downloaded file to begin the installation wizard.
  2. Select the components to install, but keep it simple by installing all components except for Claws Mail.
  3. Select “Next”

A brief description of each component:

gpg3

  • Kleopatra – a certificate manager
  • GPA – another certificate manger
  • GpgOL  – a plugin for Outlook
  • GPGEX – an extension for Windows Explorer
  • Claw-Mail – a lightweight email program with GnuPG support built-in
  • Gpg4win Compendium  – a manual
  1. Select desired preferences and click “Nextgpg5

5. Click “Finish” to exit the install wizard.

Setting up GPG4Win using Thunderbird and Enigmail

Enigmail, a play on words originating from the Enigma machine used to encrypt secret messages during World War I, is a security extension or add-on to the Mozilla Thunderbird Email software. It enables you to write and receive email messages signed and/or encrypted with the OpenPGP standard. Enigmail provides a more simplified method for sending and receiving encrypted email communications. This step-by-step guide will help you get started installing and configuring the extension.

  1. Open Thunderbird and navigate to the Add-Ons Manager under the “Tools” menu.
  2. In the search dialog box, type “Enigmail.”Now, a list of Add-Ons will be available.
  3. Select the Enigmail add-on from the list.
  4. Click the “Install” button.

ENIG1

 

  1. There should now be a message indicating, “Enigmail will be installed after you restart Thunderbird.” Proceed with the installation by Clicking on the words “Restart Now

ENIG2

 

  1. After the Thunderbird application restarts, Enigmail should look like the image below. Proceed with configuring the add-on by Selecting Enigmail from the list.

ENIG3

  1. Select “I prefer a standard configuration (recommended for beginners)” and click “Next”.

Generating a Public/Private Keypair.

  1. Select the Account to generate the keys for.
  2. Enter in a strong passphrase
    • If the passphrase isn’t strong enough, the Passphrase quality meter will indicate that with a red- or yellow-colored bar (vs. the green one shown in the image below).
  3. Re-enter the strong passphrase to confirm.

keypair1

 

The Key Generation Process will generate a series of data based on random activity and assign it to the randomness pool for which to generate the keypair.

keypair2

 

 

  1. Save the revocation key to a trusted and safe, separate device (storage media)!

The revocation certificate can be used to invalidate a public key in the event of a loss of a secret (private) key.

keypair3

 

Key Management / View Key in Enigmail

management1

  1. Change the expiration date (suggested <2 years)

management2

 

  1. Upload Key To Public Keyserver (like hkp://pgp.mit.edu).

Public Keyserver Lookup

Look up the Public Keys of other people on public keyserver directly from within Enigmail.

  1. Select “Search for Keys” from the “Keyserver” dropdown menu.
  2. Enter in the Email Address or <FirstName><space><LastName> of the persons name that is being looked up.

A good test for this function is to try searching for Glenn Greenwald.

management3

 

Notice how many active public keys Glenn Greenwald has. This could be intentional, but it can also happen when setting up keys on a new device or email client and 1. Forgot the private key passphrase 2. Lost the key revocation file or forgotten the passphrase to unlock it.

The problem is that anyone contacting the user for the first time will have to figure out which key is the correct one to use. It also becomes a security risk because any one of those unused, but active, keys could be compromised, and result in adversaries accessing communications.

MORAL Of THE STORY: Set an expiration date, manage the revocation key file and manage passphrases.

Revoking a Key

  1. Right-click on the key and click on Key Properties.

revoke1

 

  1. At the bottom of the window Click on the ”Select Action” dropdown menu and Select “Revoke Key.”

revoke2

  1. A dialog box will pop up asking for the Private Key’s unique passphrase. Enter the passphrase for the key that is being revoked.

revoke3

  1. Once completed, the user will receive an ‘Enigmail Alert’ indicating that the key has been revoked. The alert warns the user that ‘if your key is available on a keyserver, it is recommended to re-upload it, so that others can see the revocation’. It is important to update the public keyservers to ensure that sources are aware of revoked keys and new keys on each account.

revoke4

 

Operationalizing GPG: A Pragmatic Approach

What do encrypt, decrypt, sign, and verify mean?

  • Encrypt takes the user’s secret key and the recipient’s public key, and jumbles a message. The jumbled text is secure from prying eyes. The sender always encrypts.
  • Decrypt takes an encrypted message, combined with the user’s secret key and the sender’s public key, and descrambles it. The recipient always decrypts. Encrypt and decrypt can be thought of as opposites.
  • Signing a message lets the receiver know that the user (the person with the user’s email address and public key) actually authored the message. Signing also provides additional cryptographic integrity by ensuring that no one has interfered with the encryption. The sender always signs a message.
  • Verifying a message is the process of analyzing a signed message to determine if the signature is true. Signing and verifying can be thought of as opposites.

When should someone sign a message? When should they encrypt?

If it is unnecessary to sign and encrypt every outgoing email, when should the user sign? And when should the user encrypt? And when should the user do nothing?

There are three sensible choices when sending a message:

  • Do nothing. If the contents of the email are public (non-confidential), and the recipient does not care whether the user or an impostor sent the message, then do nothing. The user can send the message as they’ve sent messages their entire life: in plain text.
  • Sign, but don’t encrypt. If the contents of the email are public (non-confidential), but the recipient wants assurance that the suspected sender (and not an impostor) actually sent the message, then the user should sign but not encrypt. Simply follow the tutorial above, skipping over the encryption and decryption steps.
  • Sign and encrypt. If the contents of the email are confidential, sign and encrypt. It does not matter whether the recipient wants assurance that the user sent the message; always sign when encrypting.

For a majority of emails that the user may send, encryption is just not always necessary. The remainder of the time, the user should sign and encrypt.

Whenever there is confidential information — such as sensitive reporting information, source address and name information, credit card numbers, bank numbers, social security numbers, corporate strategies or intellectual property — users should sign and encrypt. In terms of confidential information, users should err on the side of caution and sign and encrypt gratuitously rather than doing nothing and leaking sensitive information. As for the third option, users can sign, but do not encrypt.

Best Practices in Information Security

Despite best practices regarding the operational usage of PGP encryption, a disregard for the fundamentals of information security can still put a journalist’s communications in peril. It doesn’t matter how strong the encryption is if the user’s laptop has already been compromised, and is only a matter of time before the journalists’ encrypted communication method is in jeopardy.

Below is a short list of some high-level information security best practices. For more information on this subject, see Medill’s National Security Zone Digital Security Basics for Journalists.

  • Good password management

Journalists should not only create strong passwords, but also avoid using the same password for anything else. Consider using a password manager.

  • Keep software up to date.

Update software frequently. This helps thwart a majority of attacks to your system.

  • End-Point Security Software

Make use of antivirus and anti-malware software.

  • Be wary of odd emails and accompanying attachments.

When in doubt, don’t click. The goal of most phishing attacks is to either get you to download a file or send you to a malicious website to steal your username and password. If it doesn’t seem right or doesn’t make sense, try reaching out to the person via an alternate communication method before clicking.

  • Stay away from pirated software.

Nothing is truly free, as these software packages can often come with unintended consequences and malicious code packaged with them.

GPG Alternatives

  • CounterMail: a secure online email service utilizing PGP without the complexity of complicated key management.
  • DIMEDark Internet Mail Environment: a new approach and potential game-changer to secure and private email communications.

Additional Resources

Glossary of Terms

Keyword Definition
Ciphertext Ciphertext is encrypted text. Plaintext is what you have before encryption, and ciphertext is the encrypted result. The term cipher is sometimes used as a synonym for ciphertext, but it more properly means the method of encryption rather than the result.
Data-at-Rest Data at rest is a term that is sometimes used to refer to all data in computer storage while excluding data that is traversing a network or temporarily residing in computer memory to be read or updated.
Data-In-Transit Data in Transit is defined as data no longer at a restful state in storage and in motion.
Digital Signature A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document.
Encryption Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties.
Fingerprint In public-key cryptography, a public key fingerprint is a short sequence of bytes used to authenticate or look up a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key.
Key In cryptography, a key is a variable value that is applied using an algorithm to a string or block of unencrypted text to produce encrypted text, or to decrypt encrypted text.
Password Manager A password manager is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password which grants the user access to their entire password database.
Private Key In cryptography, a private or secret key is an encryption/decryption key known only to the party or parties that exchange secret messages. In traditional secret key cryptography, a key would be shared by the communicators so that each could encrypt and decrypt messages. The risk in this system is that if either party loses the key or it is stolen, the system is broken. A more recent alternative is to use a combination of public and private keys. In this system, a public key is used together with a private key.
Public Key In cryptography, a public key is a value provided by some designated authority as an encryption key that, combined with a private key derived from the public key, can be used to effectively encrypt messages and digital signatures.

Term Definitions provided by TechTarget.com, Webopedia.com, and Wikipedia.org

Encryption Becomes a Part of Journalists’ Toolkit

TEXT AND PHOTOS BY J. ZACH HOLLO FOR THE GROUNDTRUTH PROJECT & REPRINTED WITH PERMISSION.

WASHINGTON — When whistleblower Edward Snowden used an email encryption program called PGP to contact documentary filmmaker Laura Poitras, only a tiny fraction of journalists used it. The precaution, designed to scramble messages so only the sender and receiver can read them, was essential for Snowden to leak the information.

The series of stories that followed shocked the world and radically altered the way people think about government surveillance and the Internet. Now, encryption is becoming a standard item of the journalism toolkit, a must-have for anyone hoping to report on sensitive issues that might upset institutions of power. It was also the subject of a workshop recently held at Northwestern’s Medill newsroom in Washington, DC, which walked about 15 journalists through the basic software installations involved in setting up PGP, which is short for “Pretty Good Privacy” and ironically named after a grocery store in Garrison Keillor’s fictional town of Lake Wobegon.

Aaron Rinehart displays the GPG encryption download suite for those at the workshop to follow along. (J. Zach Hollo/THE GROUNDTRUTH PROJECT)

Aaron Rinehart displays the GPG encryption download suite for those at the workshop to follow along. (J. Zach Hollo/THE GROUNDTRUTH PROJECT)

For Aaron Rinehart, one of the workshop’s leaders, the goal is to protect the relationship between journalists and their sources, “to get journalists confident using these tools so sources feel they can give them information safely,” said Rinehart. Without that possibility, he said, the Fourth Estate could be fundamentally crippled.

And it’s not just the NSA journalists and sources need to protect themselves from, warned Rinehart. He used an example of a story exposing pharmaceutical malpractice. “It’s not that sexy of an issue, right? But just think of the potential adversaries.” There’s the government whose regulators screwed up, the drug companies who are poisoning people, and their stakeholders who don’t want to lose profits. With any story, there are likely a host of people who want to hack the journalist and sources to prevent the information from being aired.

The workshop was taught by Rinehart and digital security advisers David Reese and Ferdous Al-Faruque. Rinehart and Reese recently founded TestBed Inc., a technology consulting company. And Al-Faruque is a master’s journalism student at the University of Missouri who said he wants to establish a class there on encryption and cyber security.

Rinehart, who spent time in Djibouti while serving in the Marine Corps, said his motivation for putting on the workshop came from a time when journalism salvaged his college career. “The media saved me,” he said. About a decade ago, Rinehart faced a bureaucratic nightmare at the University of Missouri, when he returned from serving abroad and was not permitted to complete his studies. A local paper led an investigation into the problems veterans were having there, and the university changed policies. Since then, Rinehart said he tries to do all he can to help journalists.

Of the reporters who attended, many are intent on investigative work like the kind that exposed the NSA’s mass, indiscriminate surveillance. “Since I cover national security and defense, I would definitely use this to coax sources to communicate with me or send me documents that they don’t want their government or our government to see or know about,” said Kristina Wong, a reporter for The Hill.

But others also attended, including a cryptologist who said he comes to events like this out of professional interest, and a human rights worker.

“In a lot of countries, activists and human rights defenders especially are really targeted,” said Sarah Kinosian, who monitors American security assistance in Latin America for the Center for International Policy. “So we want to make sure [victims] can pass documentation to us in a safe way.”

The workshop began with Rinehart and Reese playing a segment of Citizen Four, Poitras’s documentary on Snowden and government surveillance that recently won an academy award.

“I would like to confirm out of email that the keys we exchanged were not intercepted and replaced by your surveillance,” a narrator said, reading Snowden’s correspondence with Poitras as a line of ominous tunnel light split darkness on the screen. “Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase.” Rinehart interjected: “That is what we will be teaching you today.”

He then spoke for a while on the importance of responsible password management, recommending a program called KeePass, before moving on to downloading email client software and installing extensions designed to encrypt communications.

The way it works can seem daunting and complex, especially for anyone not tech-savvy. The email extension, called GPG or PGP, generates both a public and private key for each user. When PGP is used to send an email, the sender uses the receiver’s public key to encrypt the contents of the email so only the receiver’s private key can decrypt it.

Also on the other end, the receiver can see that the sender’s identity is confirmed. A public key is just what it sounds like: something meant to be made public along with an email address so the owner can be contacted by anyone. The private key must be kept secret by the owner, and is used to decrypt messages sent using his or her public key.

In essence, it’s is the same concept of an email. Anyone can send a message to someone but only that someone can read it. But encryption makes it nearly impossible for that message to be intercepted. And while subpoenas can force Google or Yahoo to turn over peoples’ emails, PGP makes it impossible for Google and Yahoo to read the messages, so they’d be turning over incoherent nonsense (although it is still possible to see who the sender and receiver are, and the subject line of the email is not encrypted. Ergo, aliases are commonly used once initial contact is made).

Click here to see my public key.

Encryption’s complexity has deterred it from becoming widespread, even in newsrooms. “At The Hill, not many people use it at all,” said Wong, something many would deem troublesome given the publication’s focus on politics and aim to bring transparency to Washington.

But most people agree the complexity is in the technical details behind the process, not in its application. “The world of cryptology and algorithms and coding that goes into encryption tools is difficult for just about anyone to comprehend,” Rinehart said. “But using the tools is quite simple for people who take the time to learn.”

While the majority journalists still do not use encryption, it is becoming common practice for many organizations who do investigative work. The New Yorker, The Intercept, Washington Post, and ProPublica are a few of the early sign-ons for Secure Drop, a new encryption system for journalists designed by the Freedom of the Press Foundation and originally coded by Kevin Poulsen and the late Aaron Swartz. Gawker is another publication that uses it, showing encryption may become more widespread for groups focused on less hard-hitting subjects as well.

[Editor’s note: This piece originally appeared in The Huffington Post.]

Cracking the code: Workshop gives journalists a crash course in encryption

  • TestBed's Aaron Rinehart lectures to seminar attendees prior to the hands-on portion of the day on April 3, 2015. (Jennifer-Leigh Oprihory/MEDILL NSJI)

WASHINGTON — The minds behind TestBed, Inc., a Virginia-based IT consulting firm specializing in IT planning, analytics, testing, prototyping and business advice for the public and private sectors, gave journalists a crash course in digital safety and encryption techniques at an April 3 seminar in Washington.

The daylong event, “Cyber Security Skill Workshop for Journalists: Sending Secure Email,” was co-sponsored by the Medill National Security Journalism Initiative and the Military Reporters & Editors Association, and held in the Medill Washington newsroom.

The seminar began with an introductory lecture on cybersecurity basics and common misconceptions about online privacy and security. Security-related superstitions, such as the idea that browsing in so-called “incognito” or “invisible” modes will keep your digital whereabouts truly hidden, were promptly dispelled.

TestBed’s Aaron Rinehart and David Reese then transformed the event into a hands-on lesson in PGP – an acronym for “Pretty Good Privacy” – as well as understanding other aspects of digital fingerprints (including how to create a public key, how to register it in the Massachusetts Institute of Technology’s PGP directory so that you are more widely contactable by those in the encryption know and how to revoke (or deactivate) a key for security reasons.

The program also included a brief introduction to the Tor network, a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor, originally developed by the U.S. Navy, hides the route taken from a computer’s IP address to its eventual browsing destination.

Learn how Tor works via Medill reporter William Hicks’ helpful primer and infographic here.

When asked for the top three lessons he hoped attendees would take away from the event, Rinehart emphasized the importance of “good key management,” or not sharing your private PGP key with anyone, operating “under good security practices”(such as updating software and antivirus programs) and making email encryption a regular habit.

“Don’t compromise convenience for security,” Rinehart said in a post-workshop interview. “Try to make this something you can use everyday.”

The event drew a mix of reporters, security experts and students, which included military veterans and defense journalists.

Northwestern University in Qatar journalism student James Zachary Hollo attended the event to research encryption resources available for foreign correspondents and to report on the workshop for the Ground Truth Project in Boston, where he is currently completing his Junior Residency.

Hollo said the seminar gave him a better understanding of how to use PGP.

“I had sort of experimented with it before I came here, but this gave me a much better and deeper understanding of it, and I got to sort of refine my ability to use it more,” he said.

Hollo said he was surprised that many attendees came from military service or military reporting backgrounds, since, in his view, “one of the blowbacks against the NSA story [involving whistleblower Edward Snowden] was that it’s like reporting is like betraying your country.”