Cooking up a Poison.Kitchen

Long ago, in the early ’00s, I made a website. It was called poisonkitchen.com, and I’ll get into why it was called that a few lines later. It was one of the first websites I ever created, while still working in newspapers as a reporter and editor. The purpose of this thing was to create a space for fellow print reporters to dish information about work and life at their news organisations, in an age when newspapers were declining in revenue and quality far before the internet was perceived a serious threat.

I never kept a local copy of it, because that seemed kind of pointless. Here’s a Time Machine capture of it in it’s earlier days as a a static html page site. Later on, I remade the site adding a blog made with pMachine (The internet archive doesn’t display that unique code too well), and some php forum script. The forum was the main point; It was picking up where a previous site, called News Mait, had left off when it closed. The site had its regulars, but over time, as many single-purpose niche sites run by one person in their spare time go, it’s useful its useful lifespan was limited. Other sites better at handling the topic of toxic newsroom working environments moved in. I let it the site go. Closed it, and transferred the domain to someone who said he was going to “do something” with it. He never did.

testycopyeditors.org was just one site that did a similar thing, but more entertainingly.

The domain is still owned, but pointing to nothing. It’s booked and locked for some reason, but hasn’t actually ever been used in more than 12 years(!). I’m not entirely sure what the owner is hoping to achieve, though a movie option could be one possibility. Anyway, that’s not a huge deal or the point of this post. I digress… often. Recent events reminded me about the domain name, though. I was in Berlin the other week and the news was all about U.S. President Trump’s latest attacks against the press. An independent press is under attack by the executive branch of the U.S. government. More so than in any other time in recent history.

So, what’s with the slightly creepy sounding domain, then? My choice of the domain all those years ago was based on the pejorative that Hitler had dubbed the Münchener Post (Munich Post), an adversarial newspaper that critiqued each of Adolf’s speeches and investigated his every political move up until and including the day before the SS were sent to close the paper and arrest it’s staff. The editor’s last instruction to his staff upon publishing the final addition, allegedly, had simple been, “run.”

The Nazi regime had dubbed the Munich Post ‘fake news’, and tried various means to block the paper’s journalists from covering politics. Ultimately, once power had been concentrated, it was banned, published anyway, and arrest warrants were issued against many members of the staff.

This may not sound like an entirely uplifting story arc, but I found the narrative inspiring. I had come by this piece of great journalistic history while reading a chapter about it in Explaining Hitler by Ron Rosenbaum, long before I’d thought of starting a website called ‘Poison Kitchen.’ But once I read it, I decided it would make a great sounding website of some sort.

The point of naming the site poisonkitchen.com was that people went into journalism for aspirational reasons that seldom ended up matching the reality. Newspapers didn’t push hard enough in the lead up to the election in 2000, and this was what had led (at that time) to President George Bush winning a demonstratively flawed vote. He didn’t have much use for an investigative press, either.

The situation today seems to once more tick all the right boxes, only more so: We now have a deranged, conspiracy obsessed, authoritarian president in the U.S. who targets segments of the population with hateful rhetoric, attacks the press, tries to enact draconian laws against immigrants, employs vast propaganda to pursue his goals, and doesn’t seem to like an independent judiciary, either. He also took office with a minority vote and seems to not like being reminded of that. He may have tiny hands, an orange complexion and cartoony hair, but  to be honest, these aspects are the least of our worries.

A forum isn’t going to cut it. But I spent last week getting some interesting notions at the Internet Freedom Festival on what just might. The media landscape has changed, the web as changed, and I’m in a different place, too. As a technologist who now works with journalists on issues of secure hosting, web applications and digital safety, I think I have use for a Poison Kitchen domain again. I can’t have that .com, but that’s okay, because domains have changed, too. So, there’s poison.kitchen.

Don’t rush over there now, there’s not much to see. Here in my mini-launch manifesto, I’m just going to lay out some concepts that the domain’s eventually arriving website will  be exploring.

Premise

There are two parts to this. The first deals with the safety and confidence of the potential whistle blower, or anonymous source of the information. The second has to do with how well that information is used in coverage.

  1. Not everyone wants to be famous/notorious. Not everyone who would share newsworthy but highly sensitive information wants to be an Edward Snowden and allow this one act be what defines them. Chelsea Manning didn’t want to. From Jeremy Hammond to Mordechai Vanunu, we’ve seen examples through history where people paid a high price to make the world more aware. Mathematically speaking, if those people exist, then there are likely many others who have access to information they would release to a journalist, but would rather not give up their family, friends, income and entire way of life in the process. That should be possible.
  2. Sensitive information in talented hands has more impact. Snowden’s NSA files leak were more useful because they went through talented investigative journalists, first. The Panama Papers leaks became more impactful because of how the story was handled by ICIJ. How much better and more accurate would the coverage of the CIA ‘hacking tools’ leak be, had it been released first to knowledgeable technology journalists? Helping sources self select the right journalistic contacts should be posible.

Ideas/notions

These are some ideas based around the two items mentioned above.

  1. Build source confidence in methods and tools and the journalists they reach out to.
    Encryption tools and technology overall have taken a bashing over the last few years. It’s time to bash back. Yes, there are suitable, and safe ways to transmit a piece of information with reasonable expectation of both privacy and anonymity. No, it’s not single-app, one-click, or “It Just Works“™ easy. Outside of that, a source needs reasonable confidence that the journalist will treat what they share carefully, which many journalists may want to do, but may not know what it involves.
  2. Combine all the known resources, guides, templates and risk assessment tools to enable sources to contact specific journalists of their choice more securely.
    As the story that’s now in both myth and legend goes: Edward Snowden needed to work at it for more than a year to get Glenn Greewald to spend an hour setting up encryption keys for an email address. There are now guides, tools and how-to things all over the web on setting this up, but it’s really just one way of reaching out to a journalist, or being a journalist who wants to hear from a source, and it may not be your way, or the correct way for your situation. This is aimed at sources to be able to confidently reach journalists and transmit information.
  3. Implement secure contact pathways of communication for independent/freelance journalists and their sources.
    The New York Times, Guardian and other large news organisations have the facility to manage in house highly secure systems, such as Secure Drop. Investigative, freelance or independent journalists may not have these resources, but they do often have specific areas of deep knowledge, and can sometimes be better placed to receive confidential information on a topic that is their primary focus. Over the longer haul, The site’s goal would to take advantage of existing secure contact methods to create a gateway between sources desiring higher levels of off-record care and attention, with qualified journalists of their choice who agree to an ethical framework for dealing with confidential source material.

UPDATES

So there’s the concept note. Interested parties are welcome to drop a line. Watch this space.

There’s a Github Repo to track.

Data at the U.S. border


UPDATES: Aside from the strategies listed below, here are some some other guides, resources and tips on dealing with your digital privacy in U.S. airports, or around any borders with paranoid state regimes…


The United States of America can now be fairly classified as a declining state in terms of freedom, liberty, speech and human rights. The Economist has downgraded it’s status to “flawed democracy” (late in the game). The White House is presently battling with the courts for the right to exclude entry to the country  from not just seven Muslim majority countries (bad enough as that would be), but the right to ban people of any nationality on the basis that they were born in one of these countries. It is the thin end of the wedge to enact President Trump’s promise of a complete ban on Muslims and a Muslim registry.

The Trump regime also plans to require foreign visitors to disclose websites, social media activity, and let American border agents copy data and contacts from their mobile phones as a requirement of entry. Plan ahead.

If you need to go to the United States, your rights may be at serious risk. But this is nothing new in terms of data. Department of Homeland Security agents were allowed (under President Obama) the authority to copy the your device hard drive at any point of entry into the U.S. But this will probably be put into greater practice in the coming days.

So, if you’re traveling to the United States, consider the following:

Travel tech-light. Leave your computer at home, or carry a wiped machine and/or mobile. Get a mobile after you arrive. Basic mobile phones and pay-as-you-go SIMS are easy to obtain (still) for cash in the U.S. See if you can use a local laptop after you arrive, and get into your accounts on the other side. The less you carry, the safer you and your contacts will be.

Encrypt your computer and your mobile hard drives. If agents are going to access it or copy information from a device, they’ll have to talk with you about it first. Switch your devices off before you land, for this to mean anything.

Log out of everything. Before you arrive at the border, make sure that nothing is syncing, updating or sending or receiving from your devices. Wipe all the local data in your browser. Don’t leave passwords, browsing history, cookie information or download history in your cache. Remove your accounts from any email clients you have set up. Wipe any access information. If agents want to access theses, they will have to ask you to log into each one, keeping everything they see transparent to you. Don’t leave clues on your machine as to what services you use.

Create alternate social media personas. This is more difficult to pull off than it sounds, but essentially it means creating fairly vanilla/bland social profiles that don’t include any social, political or other aspects of your identity you think may get you or others in trouble. It means keeping a smattering of contacts that you don’t think will raise your profile in a problematic way at the border. Honestly, this is how they™ win, but if you need to get from point A to B, then sometimes needs must. If you’re involved in an sort of anti-regime activism or opposition, then keeping that information containerized is just a practical reality.

Encrypt files locally and send what you need ahead of you. If you have someone on the other side you trust, encrypt the files and information you’ll want to use after you pass through the U.S. border, and send it to them. Use Veracrypt or pgp key encryption to secure the information locally.  Transfer it using a secure cloud service or a volatile, encrypted file-sharing service such as onionshare, or run FileTea through a decent VPN or Tor. Wipe it from your device, and re-install it when you get to your friend.

Encrypt your information and hide it in the cloud. Find a decent, secure cloud storage service. Export your confidential information and encrypt it locally on your machine. Rename your file as well (“pics_of_cat.zip”, “art_masters_thesis.tar” or so on). Store this in your cloud hosting service and make sure to securely wipe it from your machine. Get it back when you’ve got a secure internet connection after you’re away from the border control.

Set up 2-factor authentication on any accounts that have it available. If you’re asked to log into an account, this will give the border control agent and the Department of Homeland Security future access to that account. 2-factor authentication on many services allows you to monitor where your account is logged in and end those sessions remotely. It will let you know when and if anyone tries to log in from a different location.

Consider all accounts accessed at the border to be compromised. As a matter of digital hygiene, change any password that you use at the request of a government official. Update your passwords using stronger ones not similar to your compromised passwords.

Consider any device handed over to a border agent to be compromised. If a border agent takes your device and does anything you can’t visibly see happening, then assume the device has been infected with malware (spyware) and wipe it before using again. Dismantle it to look for physical tampering, if it’s taken where you can’t see it.

Such are the times in which we live.

— For a friend

Data at the border

Escape plan

I was in a charity shop in Peckham a coule of days  before the new year’s eve and was flipping through the pages of a history of MI9. There I came across a diagram of the Escape Knife (or, escaper’s knife). As I’d lost my trusty ol’e Leatherman due to some haste and stupidity on the way to the airport a while back, I was in the market for a new multitask tool thingamajig, and I also like things that come with a bit of history to them. Also, it just seems like we’re living in an era where having something on hand called an “escape knife” seems more handy. Image searching the diagram and name, though, tells me that things things aren’t in production any longer, and buying one vintage runs in around the £1,200+ range. So I’ll pass.

But I like the mandate of MI9, which was basically to help people escape or evade fascists by designing tools, researching technology and developing tactics. There still seems to be a need for these things.

Sort of like during the bulk of the 2000s, I’m hearing more people grumbling about needing to escape Trump’s America, though this time around it sounds like the real challenge for more people will be getting into the U.S., rather than getting out. But still I see people looking for ways to emigrate to Canada, Europe or even to UK for some reason, though I’m not entirely sure what they’re specifically hoping to evade by coming to Brexit Land.

So, first the bad news: There is no escape. We’ve all entered ‘The Man in the High Castle’ alternate reality together. The good news is that there is a wealth of how-to guides, manuals and resources created by and for people living or working in closed and closing societies on how to do any number of things, whether its communicating privately or anonymously, looking up information without leaving a data record behind, how to meet discretely, how to store personal information securely, how to detect if you’re being followed and lose who’s following you, etc. and etc. To learn how to do things things, the first thing you need to do is accept that you’re now living in an emerging closing society. It’s okay, you actually have been for a little while now, you just didn’t have a fluffy-haired soon-to-be-president, orange twat reminding you about it in a daily barrage of poorly-thought-out Twitter outbursts. Until now. Welcome to now.

You had been warned. Maybe you didn’t care because it still seemed like things were being run by people who could string a coherent sentence together. Maybe you took the warnings seriously, but didn’t think they’d ever apply to you. Apparently, when your side loses an election, they don’t switch off the massive, legal-grey-area global spy network when they pack up and move out.

“It is possible that I will end up living like the dissidents who I defended from foreign dictatorships for so long. I will talk in coded terms, as I have started to do already. Did you think it was a coincidence that I published an article about  Elijah Lovejoy, a journalist who sought freedom for all and was killed by St. Louis mobs, right before the election?” Sarah Kendzior

People who had previously felt like they were fairly garden variety mild political opponents to the establishment may now be qualified as proper dissidents. The First Amendment right to religious freedom might not really apply to some people for the next few years. If you conduct research in certain scientific fields, you may be under increased White House scrutiny.

The U.S. may not be closed, but it’s closing in. Here’s are some resources that may come in handy if you’re going to be on the wrong side of the emerging situation…

Digital

Surveillance Self-Defense Against the Trump Administration, by Micah Lee, is what is says in the title. Here’s a great tech starter for avoiding mobile and web tracking, securing your communications and your website (if you’ve got one). If your a Signal app user (hint: you should be), also be sure ro read Micah’s pro-tips on using it; This is the “missing manual.”

Penetration Testers’ Guide to Windows 10 Privacy & Security is for you if you are going to use Windows 10, not that I’m advocating that sort of lifestyle choice. Get ready to spend some serious time with Andrew Douma’s how-to post, which is far more readable than any actual Microsoft documentation might be.

draft_encrypt-email-guide-10-2016 is a group edited guide on getting into sending and receiving encrypted emails using PGP. It’s spearheaded by Matt Mitchell, who will be porting it to Gitlab and Medium once the gang are done fidgeting with it. However, it’s already far more readable than a number of other attempts. I’ll update the links here when it’s moved to it’s finalized home.

How can I use my mobile phone more securely? by yours truly, can help you get your mobile phone under control, or at least understand how little control you have. Remember: You have control over whether you carry it when you don’t want a record of your travels. You can control what you don’t say or type in it. That’s your control.

Data at the border is another one I hacked together, about the data you carry with you, and how to keep it from being exposed, through theft, confiscation, in a search, etc.

Physical

Surveillance Evasion, by Ami Toben at protectioncircle.org will help you understand what’s needed to evade hostile physical surveillance when traveling between Point A and Point B.

How journalists and activists can have a safer physical meeting with a source, by Security First Co-Founder Rory Byrne will show you how to have an off-the-record meeting with the aim of staying off all the records.

How journalists and activists can identify and counter physical surveillance, also by Rory Byrne, is similar to Ami Toben’s guide, though with some very different insights, offering a set up tactics and behaviors that can throw off a tail.

Is S/He an Informant? A Ten Point Checklist by by Ret Marut on behalf of activists allegedly impacted by undercover infiltrators in their groups is still going to be useful if you’re going to be organizing in 2017-2020 America.

Think You Can Live Offline Without Being Tracked? is a short FastCompany interview with various privacy experts, that will give you some idea on the near impossibility and/or depressing reality of trying to sustain such an existence for a long period of time, which is why I trend more toward episodic tactics and throw-away plans. Spoiler: When an article ends in a question mark, the answer is usually ‘no.’  The Lone Ranger lived his secret identity and had just the one friend. Don Diego de la Vega kept his anonymous Zorro persona compartmentalized and so could still throw swanky dinner parties. Be Zorro.

Plan, prep & test

Whether you are just one or some, you need to know what you’re going to be doing and what kind of trouble it could entail. These will help…

The Risk Assessment toolkit by Security in a Box is a good place to start.

The Secure Communications Framework by Tim Sammut remains one of my favourite guides to assess which tech and methods you should be using, and what kind of extra support you might need.

Risk Assessments and Communication Plan templates from Rory Peck Trust can help you articulate and keep a file on what the likely problems will be and how you’ll cope with them.

SAFETAG, developed by Internews, is a professional security auditing framework using a mix of penetration testing and risk assessment methods that are useful for smaller organisations and groups who face adversarial conditions.

You had been warned

All those warnings about the dangers of mass surveillance coming out for the last few years just got a little more real for a lot of people. Apparently, when your side loses an election, they don’t switch off the massive, legal-grey-area global spy network when they pack up and move out.

Trying to collect everyone’s data for analysis at any future time may sound like a brilliant idea to you. Think of the good that can be done! No. You can’t think of such a thing in terms of it being run by rational, decent people. You can’t think of it being run by people on your side. You have to consider it as if it were possible that such powers could be put in the hands of a maniac.

Many people supporting Hillary Clinton for president, and the re-election of President Obama before that, were eager to dismiss this issue. Both (along with many other Democrat and Republican leaders both past and present) were part of the construction of this machine, though. Soon it will be handed over to a President Trump, providing he can beat the upcoming rape trial and several other allegations winding through the courts and avoid being impeached.

This isn’t just an American issue, or about some constitutional rights that only apply to people on the right side of the upcoming Mexico-funded wall. This has to do with all the U.S.’ intelligence trading agreements.

Just let that sink in.

When Obama — with Clinton’s support — extended and expanded the reach of America’s mass surveillance project, most of his advocates were defensive, apologists, or dismissive about it. What does it matter? How does it effect you? many folks looked the other way while millions of people around the world were targeted based on “selectors” generated from some text they may have put online somewhere, a video they may have watched, photos they posted, or maybe just how their surname, language or national origin happened to feature on the computer screen of some NSA contractor. Lots of people thought it wasn’t a big deal. Many people may have even believed that, well, if they don’t have anything to hide…

This isn’t a warning, it’s a reminder. The warnings have been coming out for years, people just didn’t do anything about them. While the apparatus stay’s the same, its uses can and will change. The selectors can be altered. Other people may find all sort of things that they suddenly wish they could hide even if they can’t: Political affiliation, who their friends or family members might be, social interests, reading lists, gender identity, religion, race. What selectors will the new regime prioritize?