Why My Motto as a Security Journalist Is “Assume Breach”
How to stop worrying and learn to love a Faraday pouch
The network is hostile. We now live next door to every sociopathic intelligence agency, corrupt police force, and mafia hacker on the planet. In such a world, we have no guarantees and few guidelines, but “assume breach” will help you stake out an improved security posture.
You’re likely already following this advice without even realizing it. When you put a sticker over your laptop or smartphone camera—you are doing this, right?—you are assuming, without any proof, that your device may be compromised, and acting accordingly.
Try assuming that all your devices have been compromised. Assume your communications are being read by a malicious third party. Assume that malicious third party wants to shut down your reporting. What happens next?
Owning your phone is trivial for any sufficiently-motivated nation-state hacker, and enables them to hot mike all your meatspace conversations. So what would it mean to assume our phones have been compromised? By avoiding sensitive conversations within earshot of a smartphone, storing phones in the refrigerator or microwave when not in use, and removing microphones from our devices. (Plug in earbuds when you need to make a voice call.)
Consider also how trivial it is for a motivated adversary to track you in real time—or go back into the past to cross-reference your smartphone’s geospatial coordinates with those of, say, a suspected leaker. The government wouldn’t have to hack your device to get this information—it’s available via subpoena from your cell phone provider. So “assume breach” means buying and using a Faraday pouch when you carry your phone.
Even stored in a Faraday pouch with its microphone disabled, your smartphone can still give you away, or reveal a confidential source. An adversary who hacks your phone can use the accelerometer to record your physical movements, where you went, and how long you were there—and then report back next time you take the phone out of the Faraday pouch. So maybe you don’t want to carry a smartphone at all, in some instances/
Maybe you think, they’re not really out to get me or my sources. But as Martin Shelton pointed out right here in the Source, you really are worth hacking.
Encryption and Anonymity
If you’re reading this, you may already be using Tor, but even Tor isn’t perfect. Last year, I called up many of the world’s leading anonymity researchers and asked them what they thought of Tor’s security model. You can read my deep dive with their responses, but the bottom line is that even moderately-resourced attackers can de-anonymize Tor users, at least some of the time. I pump most of my traffic over Tor, and encourage you to do so as well—some defense is better than none. But be under no illusions that your conversations are perfectly anonymous.
Likewise, encryption. Signal is best of breed for secure messaging apps, and I’m sure you’re using it already (right?). Cryptography experts are confident Signal’s encryption is unbreakable even by the NSA. But there’s no guarantee that Signal’s encryption will remain unbreakable forever. (As any cryptographer will tell you, we can’t prove an encryption cipher is unbreakable, merely observe that no one has publicly broken it yet.)
The NSA has been making noises for the last several years about a quantum computer on the horizon. Quantum computers would be so powerful they could brute force the best cryptography in use today, and retroactively decrypt all the conversations you’re having on Signal right now. And as the Snowden docs make clear, the NSA are storing indefinitely all encrypted communications collected as part of their mass surveillance programs. Some experts scoff that quantum computers are fairy tales, while others insist that within ten years all our current crypto will be completely broken, and we should move immediately to quantum-safe crypto.
Which is true? No one knows for sure, or if they do, they aren’t telling.
Many encrypted Signal chats you’re having today will be meaningless ten to fifteen years from now, even conversations with some anonymous sources. But not all. Assuming breach means thinking carefully about not just what needs to be kept secret, but for how long.
Those already familiar with the “assume breach” mantra are waiting for me to finish the sentence: “…and compartmentalize.”
Information tends to be divisible into more or less sensitive categories of confidentiality. Intelligence agencies use Confidential, Secret, and Top Secret classifications for a reason—to cover up their crimes, of course, but also to ensure that someone who gained access to all the Confidential documents would not also get access to more sensitive documents.
Security always comes with trade-offs of money and time. The buffet menu for the ambassador’s reception is no more Top Secret than the news reporting of your newsroom’s drama critic or sports writer. Spending scarce resources to defend what does not need defending would be foolish.
Let’s look at a few concrete examples to illustrate the point.
Suppose you’re using your iPhone for sensitive conversations with sources, but also for Tinder and Facebook. Maybe you’ve got a couple dozen apps on your phone, because Pokemon Go and Candy Crush etc. Don’t do this. Every app you install, every email you open, every text you receive increases your risk of compromise. An attacker who wants to spy on your Signal texts doesn’t have to break Signal, all they have to do is break the weakest link—probably one of the other apps on your phone. You don’t know how secure all those apps are. The app makers don’t know either. The only people who know for sure are the attackers exploiting their flaws.
So separate work and personal devices. That way if your “Secret” Tinder conversations get hacked, your “Top Secret” Signal chats with sources won’t wind up on Pastebin.
Google and Apple both go out of their way to make your stuff available on all of your devices. They tout the simplicity of starting work on your laptop, switching to a phone, and finishing on a tablet. Cloud password managers like LastPass and 1Password enable cross-device authentication, but also cross-device compromise. A locally-stored password manager like KeePassx is sometimes a superior option. If you have nation-state adversaries, using a cloud password manager for all of your passwords is asking for trouble: If all of your devices have access to your cloud password manager, all an adversary has to do is own one of your devices and they get access to everything. Far better to compartmentalize passwords onto different devices, and locally store the most sensitive passwords in KeePassX. Perfect security is not possible, but you can—and should—raise the bar.
Consider also what assume breach and compartmentalize means for newsroom security. A newsroom of any size is a barn door with a target painted on it. You may rest assured adversaries, both foreign and domestic, attempt daily intrusions into your network.
You can’t protect everything. Spending scarce resources on training your drama critic and baseball writer not to click on dodgy links is probably time and effort wasted. Far better to identify what adversaries are really after—investigative reporting, source identities, editorial strategy sessions, encrypted chats, and sensitive upcoming op-eds, to name a few—and defend that data separately. Newsrooms examining leaked governments data, like the Snowden docs, often use a secure room with an air-gapped network to keep those documents safe. What should you be protecting?
One Flaw to Rule Them All
Assume breach also extends to your choice of operating system. For most operating systems, it only takes one working exploit to own your entire computer—laptop, smartphone, what have you. An attacker who gets access to your Windows laptop can access, modify, or delete anything on the device.
The “reasonably secure” Qubes operating system is built on the “assume breach and compartmentalize” philosophy discussed here. You can separate your work and personal lives into multiple domains, and an attacker who gains a foothold in one would not have access to the rest—unless they are very, very good.
If you’re a Linux geek, get Qubes stat. Newsrooms might even consider deploying security staff to manage and run Qubes for high-risk non-technical reporters.
Think Like an Attacker
Assuming breach means assuming malice. Modern digital attacks are less a battle to hack power plants and more about controlling the narrative and manipulating public opinion at global scale.
With such high stakes, and a glowing target on your chest, assume breach means thinking like an attacker, and using your imagination: How could someone powerful and ruthless disrupt your reporting and get away with it?
Then act accordingly.
J.M. Porup is a contributing security reporter for Ars Technica UK, and a member of the Berkman Klein Assembly 2017 at the Berkman Klein Center at Harvard University. Porup is currently looking for full-time work covering cybersecurity, and improving newsroom security, in New York or elsewhere. Porup’s motto is—wait for it—assume breach.