Spycraft:
Keeping your sources safe
STEVE DOIG
CRONKITE SCHOOL OF JOURNALISM
A R I Z O N A S TAT E U N I V E R S I T Y
Why spycraft for reporters?
 Need to keep identity of confidential sources secret
from subpoena or government snooping.
 Need to keep identity of confidential whistleblowers
secret from corporations.
 Need to travel in places where governments detain
journalists.
Examples
 National Security Agency revelations from Snowden
 Barry Bearak of the NY Times in Zimbabwe
 Hewlett Packard board leaks
 Secret subpoena of AP phone records
 Fox News reporter’s email contents
What I’ll cover
 Keeping internet searches private
 Making and receiving untraceable calls
 Keeping email private
 Encryption/decryption programs
 Keeping your computer clean
 Tricking keyloggers
Private internet searching
 NSA monitors search terms
 AOL debacle: 36 million search terms of 650,000
users (http://www.aolstalker.com/)
 Subpoenas to your IT department or IP provider
 Alternative: www.ixquick.com: No IP addresses
kept, no cookies, search terms deleted within 48
hours
 DuckDuckGo.com: nothing kept
 Anonymizer.com?: Anonymizer Universal ($80)
Torproject.org
 TOR enables anonymous browsing
 Bounces your browsing through a worldwide net of
relays
 Get through national firewalls
 Used by journalists, activists, bloggers, NGOs,
companies, et al.
Keeping identity private in calls
 *67 blocks Caller ID in U.S.
 Old NYT caller ID: 111-111-1111
 “Spoof” your Caller ID with SpoofCard
(www.spoofcard.com) -- $10/60 minutes
 Crazycall.net (international)
 Also do voice changing
Cellphone cautions
 GIS-equipped cellphones track your location
 Cellphones also track location by cell tower
triangulation
 Cellphones and wireless phones can be heard by
scanners
 Cellphones can be bugged
Cellphone spyware
 Listen to calls, extract SMS, view photos, read call
logs ($60) (but not iPhones)
Pre-paid “burner” cell phones
 No-contract cell phones and SIM cards
 IMPORTANT: Buy with cash, and replenish with
cash
 Common outside the U.S.
 Phones as cheap as $10-$20
 Pre-paid cards as cheap as 10 cents/minute in US
Voice over Internet Protocol (VoIP)
 Internet voice calls
 Beware “man in the middle” attacks (NSA, for
instance)
 Skype encrypts voice/video data stream

But there is an NSA back door…
 Use Jitsi.org instead of Skype
 Zfone with VoIP clients like Gizmo, GoogleTalk,
Magic Jack
Silent Circle
 Started by PGP inventor Phil Zimmerman
 App for iPhone or Android
 Encrypts phone, text, video chat
 But secure email server has been shut down!
 $10/month
 Prepaid “Rōnin card” – get service anonymously
 Use with Silent Circle
Blackphone
 Secure phone, text, wireless
 Anonymous search/browsing
 Remote wipe if lost
Texting and chat
 TextSecure from WhisperSystems: (for Android, but
IOS soon?)...encrypted end to end
 ChatSecure: Use for Facebook chat, Google
Hangouts, et al....works on any platform
Keeping identity private in email
 Use free “throwaway” email addresses from Yahoo,
Gmail, etc.
 Anonymizer.com: Nyms software creates throwaway
email addresses that will forward to your real
address ($20/yr)
 Other remailers: Mixmaster, QuickSilver, et al.
Email without sending email
 Trick used by CIA director David Petraeus and
mistress Paula Broadwell
 Create an anonymous Gmail account
 Write messages as drafts, but don’t send them
Smuggling your text and pictures
 Use micro SD cards
 Up to 128 GB
Cryptography
 Use code to make files on disk, phone, etc.,
unreadable
 Avoid simple ciphers, one-time pads, etc.
 Public-key cryptography is best
 TrueCrypt.org: not secure!!
 TrueCrypt to be replaced by CipherShed
 Boxcryptor: encrypt files in the cloud
 GnuPG 2.0 also open source
 Use a strong passphrase!
 Keep data on encrypted thumb drive
Hidden USB drives
Email encryption
 MS Outlook will encrypt
email
 Better: GnuPG 2.0 (free)

Uses public-key crypto
 Can be built into Gmail
 Enigmail extension for
Mozilla Thunderbird
Cryptonerd’s fantasy
Steganography
 Poe’s “Purloined Letter”: Hide in plain sight
 Message hidden in “covertext” of some sort:


Plaintext
MP3s, jpegs, video, Flash, etc.
 www.jjtc.com/Steganography/tools.html
 OpenPuff 4.0 – deniable encryption using less
secret data as a decoy
 New – hiding files in the silence of Skype
conversations!
Stego example: original
Stego example: encoded
Hiding directories
 Create hidden “safes” on computer
 “Safes” can be on USB drives, DVDs
 Espionageapp.com
Watermarking, fingerprinting
 Related to steganography
 Hidden information embedded in files
 Invisible watermarking uses variety of techniques: Shift
lines, text and/or characters; deliberate misspellings, etc.
 Used to verify copyright, reveal image tampering, traitor
tracing
 Watermarker.com: “IceMark” invisible watermark ($50)
 Strategy: Retype the document, adding your own
variations…
Spammimic.com
 Turns a short message into spam, which can be
decoded
“Dear Friend ; Thank-you for your interest in our publication
. If you no longer wish to receive our publications
simply reply with a Subject: of "REMOVE" and you will
immediately be removed from our club ! This mail is
being sent in compliance with Senate bill 1816 ; Title
3 ; Section 304 ….
Spammimic.com
 Turns a short message into spam, which can be
decoded
“Dear Friend ; Thank-you for your interest in our publication
. If you no longer wish to receive our publications
simply reply with a Subject: of "REMOVE" and you will
immediately be removed from our club ! This mail is
being sent in compliance with Senate bill 1816 ; Title
3 ; Section 304 ….
Cleaning your computer
 Deleting files doesn’t destroy them
 Need software that overwrites deleted file space,
temp files, etc.
 CyberScrub Privacy Suite ($60)

Overwipes data files, erases other traces
 Ccleaner (free), Eraser 6.0, other freeware
 Darik’s Boot and Nuke (CD wipes all drives)
 Blancco: industrial-grade data wiping
Keyloggers
 Hidden program that captures keystrokes and
sends them to whoever installed it.
 Common at internet cafes!
 FBI’s Magic Lantern keylogger
 Anti-spyware software will detect many – but
not all – keyloggers.
 Stopgap protection: When typing password
letters, type a few random letters elsewhere on
window between each
Hardware keyloggers
 Insert between keyboard and computer ($50-$200)
Software keyloggers
 Installs software in 5 seconds ($99)
GPS tracking
 GPS Trackers with cell SIM cards can update
location every minute
Recommendations
 Assess the risk to your source
 Who wants your source’s identity?
 What are their capabilities?
 Discuss security with your sources
 Make security decisions sooner rather than later
 Consider low-tech face-to-face meetings
Some privacy resources
 www.privacy.org
 www.epic.org
 www.privacyinternational.org
 www.journalistsecurity.net/
 www.securityinabox.org
Questions and ideas?