A Step-by-Step Guide to Using SecureDrop

In October 2017, I commented briefly here in the blog about SecureDrop. SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. The platform has been deployed and is being actively used by an array of journalistic organizations to provide a secure and usable platform for whistleblowers to get in touch with journalists while protecting their own identity.

A reader recently asked for more information about how to safely use SecureDrop. I was going to add some recommendations here, but then came across the following video from the Globe & Mail:

A Step-by-Step Guide to Using SecureDrop to Share Tips with The Globe & Mail

This short video explains clearly how to use SecureDrop, and is probably better than anything I could provide here in written instruction.

Of course, in addition to how to use Secure Drop, we must ask should you use Secure Drop? Before going to the media, did you report your concerns within your organization? Was your organization responsive, or did the leadership retaliate against you? Who else has access to the information that you intend to provide to the media?

While Secure Drop will certainly protect your communication with the press, it will not necessarily prevent an organization from discovering that you are the leak. You may want to consider other factors involved in providing Confidential Tips to news agencies.

If you wanted to communicate with a news agency other then the Globe & Mail you would need to start with one of these other web-sites, but all of the instruction in the video would still apply. If you find it useful to provide a confidential tip to one news agency, you may want to provide that tip to several news agencies to ensure that it receives appropriate attention (every agency has its own editorial policy).

• Associated Press

• Washington Post

• The Intercept

• The Guardian

• VICE News

• WIRED

• CBC

• The New York Times

• The Globe and Mail

• Forbes

• The Verge

•  Motherboard

• NPR

$5-Million Tort Claim Against WSP for Deleting Public Records, Retaliation...

According to a May 3, 2018 report by KUOW and the Tacoma News Tribune: a Washington State Trooper has accused a leader in the State Patrol’s aviation unit of ordering staff to illegally delete public records... Trooper Ryan Santhuff makes the allegations in a $5 million tort claim filed against the state in February. Santhuff contends the alleged incidents and retaliation from supervisors contributed to a "work environment that no reasonable person could tolerate."

Santhuff also accuses [a WSP Lieutenant] of directing troopers to delete public records after a disclosure request was filed related to May Day protests in Olympia, in 2014. "Not only did the Lieutenant direct staff to delete emails, he also instructed them on ways to remove all copies of these emails from hidden folders on the computers and servers, essentially scrubbing the network of relevant documents," the claim states.

The tort claims states Santhuff reported all of these alleged incidents in 2016 and that WSP subsequently "began a campaign of retaliation against Trooper Santhuff" that included implicit threats, exclusion from meetings, ostracization and lies about Santhuff’s job performance.
--
According to WA State law:  To be a "public record," a document must relate to the "conduct of government or the performance of any governmental or proprietary function." RCW 42.56.010(3). Almost all records held by an agency relate to the conduct of government.  A "public record" is a record "prepared, owned, used, or retained" by an agency.

Thus it is likely that the e-mail sent and received by WSP in their official accounts are public records, and may not be deleted to prevent disclosure following a public records request.

WSP Trooper Santhuff's claims against the Department will be resolved through the courts, but what I believe is of general interest here is twofold: first that as government employees whatever you send or receive in your official e-mail is likely a public record; and second if Trooper Santhuff's claims are true, government agencies (WSP) are destroying public records to prevent their disclosure under FOIA / Public Records Acts.

--

In a related issue, A May 4, 2018 article on Motherboard noted that Gmail's 'Self Destruct' Feature Will Probably Be Used to Illegally Destroy Government Records
“As more local and state governments and their various agencies seek to use Gmail, there is the potential that state public records laws will be circumvented by emails that 'disappear' after a period of time,” the National Freedom of Information Coalition wrote in a letter to Google CEO Sundar Pichai. “The public’s fundamental right to transparency and openness by their governments will be compromised.”

Technology Turns Our Cities Into Spies

The LA Times reported (May 2, 2018) that "more than 30 Oakland Police Department patrol cars are roaming the city with license plate readers, specialized cameras that can scan and record up to 60 license plates per second. Meanwhile, the Alameda County Sheriff's Office maintains a fleet of six drones to monitor crime scenes when it sees fit. The Alameda County district attorney's office owns a StingRay, a device that acts as a fake cell tower and forces phones to give up their location. And that's just in one little corner of California."

Most cities don't just keep this data to themselves. Rather they share it with their regional "fusion centers" of which there are 77 across the country, or share the data directly with other agencies across the United States as we saw with the San Diego Police Department.

Now, most people want law enforcement to have the tools it needs to do its job. Tracking an identified criminal subject based upon probable case and a warrant issued by a judge is no doubt a good thing. Using technology to conduct mass-surveillance of a community in the hope of finding a criminal by chance is problematic at best.

Russian Government Blocks Access to VPN and Proxies to Stop Telegram Use

Roskomnadzor (Роскомнадзор) - The Russian Federal Service for Supervision of Communications, Information Technology and Mass Media - has blocked more than 50 VPN and Proxies in Russia in an effort to prevent people from accessing the secure messaging app Telegram. Roskomnadzor has also suggested that it could block access to 15 foreign hosting companies if they continue to provide IP addresses that route users to Telegram.   

Telegram and millions of related IP addresses were blocked following an April 13 Moscow court order against the app for refusing to give the FSB access to users’ private messages. Telegram founder and CEO Pavel Durov has maintained that providing encryption keys or gaining access to information beyond the device is impossible. (Moscow Times, May 4, 2018)
--

The blocking of access to Telegram by the Russian government may be seen as a portent of things to come in the United States as the FBI and other Federal government agencies seek a master key / backdoor to access encrypted devices and applications.

How to Steal A Police Rifle or Shotgun

OK, I don't really suggest that you go steal a police rifle or shotgun, but if you are a police officer with a rifle or shotgun mounted in your vehicle it may be easy for someone to steal it.

How often do you leave your patrol vehicle unattended? If you have a 'take home' vehicle do you leave your rifle or shotgun locked in the vehicle over night?

Many departments use Santa Cruz Gunlocks to secure long-guns in their patrol vehicles.  Recently, rapid bypass techniques to defeat Santa Cruz Gunlocks (SC-1 & SC-5) have been demonstrated on YouTube.

Police Car Shotgun Lock Picked (Santa Cruz Gunlocks SC-1)

Magnet Opens Police Car Shotgun Lock (Santa Cruz Gunlocks SC1)

Police Car Rifle Lock Opened 4 Ways (Santa Cruz Gunlocks SC-5)

I also note that with AR-15/M-4 style rifles the weapon can be removed from the gunlock in under a minute by simply taking the rifle apart. The lower receiver isn't secured by the gunlock, and once the lower receiver is removed from the rifle, the upper receive can be easily worked out of the gunlock with very little effort.

Reducing Privacy and Security Risks With Threat Modeling

Reducing privacy and security risks starts with knowing what the threats really are. An excellent article appeared in ARS Technica (July 8, 2017) that discussed personal threat modeling.

"Who you are, what you are doing, and where you are doing it are all major factors in determining what threats you face. Where you work, your social and political activities, your notoriety, social connections, travel, and other factors all play into your threat model, too. Such characteristics introduce different sets of potential risks to your security and privacy, and these traits could attract different sorts of potential adversaries. Of course, some activities invite risk in and of themselves based on the kind of information being exposed. In the world of threat modeling, these are often referred to as "assets" - the important pieces of information you want to use in an activity but simultaneously want to protect. Pieces of information that could be used to expose your assets are just as essential to protect as the assets themselves. Personal biographical and background data might be used for social engineering against you, your friends, or a service provider. Keys, passwords, and PIN codes should also be considered as valuable as the things that they provide access to."

Creating Your Own Personal Threat Model

 

To create your own personal threat model, ask yourself the following questions:

* What are the assets you care most about protecting? (emails, images, video, your location, identity, financial information, etc.)

* Who are the different user groups you interact with? (friends, family, employer, random person on the train)

* What are the systems where your data is stored? (Websites you frequent, devices, and services)

* How do all of these things interact? (It usually helps to draw a picture)

* What are the rules I want to maintain? (Who can see my pictures? How much can my employer know about me?)

* What are the top threats that I am worried about? (Hackers? Government intrusion?)

* What steps can I take to best protect against the top threats?

Active Shooter Incidents in the United States in 2016 and 2017

The FBI Report, Active Shooter Incidents in the United States in 2016 and 2017 is now available in the FBI file repository.

Previous editions of the report are also available:

Active Shooter Incidents in the United States in 2014 and 2015

A Study of Active Shooter Incidents in the United States Between 2000 and 2013