Journalism Security curriculum

Added by n8fr8 over 5 years ago

So we've just discussed the journalism security curriculum in the scrum.

Nathan, Niels and I have in principal agreed we should start form the
initial framework of mobile security issues, but there should also be some
additional learning. I'm attaching the outline below that was written
before the scrum.

Niels et al, if you can please comment on whcih of these items you think
are Must, Should, May, that would be a great help.
TOPICS

- Are you at risk?
- Are you putting others at risk?
- Learn to keep yourself and sources safe / How are you putting yourself
and others at risk?
- Protect proactively
- After security breach is too late
- store contact information securely
- create a security plan/security circle
- Your mobile phone can track you / How are mobile phones tracked?
- SIM
- IMEI
- Your browsing history can be tracked / How are your browsing habits
tracked?
- ISP
- Cookies
- Browser History
- Use a strong password / How can your password be exposed?
- Store safely
- Different passwords
- Minimum 8 characters
- variety of characters
- no obvious personal information
- never share
- change regularly
- transmit securely
- How can you send secure SMS/Email?
- HTTPS
- encryption
- communicate via code
- How can you transmit media securely?
- HTTPS
- SFTP
- How can you store/delete media securely?
- password protection
- physical safe
- encryption
- truecrypt
- deleting data completely
- How can you communicate securely?
- encryption
- codes
- jitsi
- zrtp

Replies (4)

RE: Journalism Security curriculum - Added by Anonymous over 5 years ago

Sorry for the late reply, I guess I am not always aware of what has been published or where. I got this list also from Niels by mail so than I started to look for it on the the site and found it under forums apparently.

I generally think everything mentioned is a must or a should (not really clear to me what is the difference or which one is stronger). I wonder if we could make a distinction between "normal" security which applies to general online behavior and is not specific to mobile use, so browsing and use of secure communication but also use of passwords.
And than focus on security specific to mobile communication: secure sms, tracking of phones (ISP but not cookies and browser) and on what you can do yourself to act as secure as possible and finish with the protect proactively, what to do if it is to late to do all the other stuff (erase my sim or memory).

Maybe this is part of another curriculum but also options of where to store data, what is on a sim, what is on the memory how can one decide to store what where. And what about the dropboxes for phones so you can instantly upload stuff from your memory and delete it from the phone.

I know we are focussing on android phones for the app but in this curriculum we should maybe includes sessions for Symbian, Iphone, Android and even Windows, cause security probably is different for the differens os or probably the solutions are different.

RE: Journalism Security curriculum - Added by n8fr8 over 5 years ago

We are still experimenting with using the forum vs the mailing list, so please bear with us.

The list is mainly a way to have direct threaded discussion that are more ephemeral.

This dev site (and the various forums, news, issue trackers, etc) are more permanent in nature, indexed by search engines, etc, and should be considered the core place to track research and development on mobile reporter.

Journalism Security curriculum - Added by nielstenoever over 5 years ago

Dear all,

I made a small update for the Journalism security curriculum and added
some structure. I'll also run it past Tactical Tech for some extra input
thoughts. Subsequently we need to think how we put this in the lessons
form in the MRApp.

Cheers!

Niels

Draft curriculum for Mobile Reporters Application v0.2

- Are you at risk?
Threat modeling (threat is risk + likelyhood)
- Are you putting others at risk?
It's not only about yourself, you have data on others and vice versa
- Learn to keep yourself and sources safe / How are you putting
yourself and others at risk?
SMS - Textsecure / Code
Photo/video - Obscuracam / MRApp
Voice garbling - MRApp
Phonebook & phonehistory
Telco
Locations
- Protect proactively
- After security breach is too late - how to act/responsibility
- store contact information securely
- create a security strategy: security plan (for data)/security
circle (for people)
-Lists
-Pin on your phone
-Encryption
-Different SIMs/Devices
-Take the battery out
-Leave phone at home/with a friend
- Your mobile phone can track you / How are mobile phones tracked?
- SIM
- IMEI
- Baseband
- Your browsing history can be tracked / How are your browsing habits
tracked?
- ISP
- Cookies
- Browser History
- Use a strong password / How can your password be exposed?
- Store safely
- Different passwords
- Minimum 8 characters
- variety of characters
- no obvious personal information
- never share
- change regularly
- transmit securely
-Lastpass/Keepass for Android?
- How can you send secure SMS/Email?
- HTTPS/SSL
- encryption (K9+APG) (should we include this? Should one have
secure keys on an unencrypted device?
- communicate via code
- How can you transmit media securely?
- HTTPS
- SFTP
- Tor (orbot etc)
- How can you store/delete media securely?
- password protection
- physical safe
- encryption
- phone, android ICS
- deleting data completely on phone
- How can you communicate securely?
- encryption
- codes
- textsecure
- zrtp (OStel)

Niels ten Oever
Programme Coordinator
S: nielstenoever
E:
T: +31 356254309
M: +31 613846622

A digital signature can be attached to this e-mail,
you need openPGP software to verify it. See: http://is.gd/Y06WEs
Key fingerprint = 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D 68E9

On 06/28/2012 08:37 PM, wrote:

- truecrypt

signature.asc (553 Bytes)

Journalism Security curriculum - Added by nielstenoever over 5 years ago

One thing to add: App permissions

Niels ten Oever
Programme Coordinator
S: nielstenoever
E:
T: +31 356254309
M: +31 613846622

A digital signature can be attached to this e-mail,
you need openPGP software to verify it. See: http://is.gd/Y06WEs
Key fingerprint = 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D 68E9

On 07/12/2012 10:31 PM, Niels ten Oever wrote:

Dear all,

I made a small update for the Journalism security curriculum and added
some structure. I'll also run it past Tactical Tech for some extra input
thoughts. Subsequently we need to think how we put this in the lessons
form in the MRApp.

Cheers!

Niels

Draft curriculum for Mobile Reporters Application v0.2

- Are you at risk?
Threat modeling (threat is risk + likelyhood)
- Are you putting others at risk?
It's not only about yourself, you have data on others and vice versa
- Learn to keep yourself and sources safe / How are you putting
yourself and others at risk?
SMS - Textsecure / Code
Photo/video - Obscuracam / MRApp
Voice garbling - MRApp
Phonebook & phonehistory
Telco
Locations

- Protect proactively
- After security breach is too late - how to act/responsibility
- store contact information securely
- create a security strategy: security plan (for data)/security
circle (for people)
-Lists
-Pin on your phone
-Encryption
-Different SIMs/Devices
-Take the battery out
-Leave phone at home/with a friend

- Your mobile phone can track you / How are mobile phones tracked?
- SIM
- IMEI
- Baseband
- Your browsing history can be tracked / How are your browsing habits
tracked?
- ISP
- Cookies
- Browser History
- Use a strong password / How can your password be exposed?
- Store safely
- Different passwords
- Minimum 8 characters
- variety of characters
- no obvious personal information
- never share
- change regularly
- transmit securely
Lastpass/Keepass for Android?
How can you send secure SMS/Email?
- HTTPS/SSL
- encryption (K9+APG) (should we include this? Should one have
secure keys on an unencrypted device?
- communicate via code
- How can you transmit media securely?
- HTTPS
- SFTP
- Tor (orbot etc)
- How can you store/delete media securely?
- password protection
- physical safe
- encryption
- phone, android ICS
- deleting data completely on phone
- How can you communicate securely?
- encryption
- codes
- textsecure
- zrtp (OStel)

Niels ten Oever
Programme Coordinator
S: nielstenoever
E:
T: +31 356254309
M: +31 613846622

A digital signature can be attached to this e-mail,
you need openPGP software to verify it. See: http://is.gd/Y06WEs
Key fingerprint = 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D 68E9

On 06/28/2012 08:37 PM, wrote:

- truecrypt

signature.asc (553 Bytes)

(1-4/4)