Tomi Tuominen of F-Secure gave out a morning full of tricks and tips on data and computing security in our journalists’ training.
“Journalism is printing what someone else does not want printed: everything else is public relations”, says Tomi Tuominen, echoing George Orwell. “And if somebody gets upset, they may try to do something.”
Tuominen is a big fan of journalism, and wants to help journalists in his field of speciality. He is a self-proclaimed professional hacker – head of technical security consulting at F-Secure, a Finnish tech security giant. Here are some of the tips for journalists that he gave in the journalist course in September.
Take these into account before you have sensitive material at hand. There’s no security that you can do afterwards.
Not all devices are created equal.
- Avoid computers if possible. iPad with a keyboard is hands down your best option.
- If a computer is a must, and you have sensitive information, use a live operating system, such as Ubuntu, that runs on an external card. Do not save any data on the card.
- Prefer Apple’s mobile devices: they get their money from hardware, software and services – not from selling your data to advertisers. The iDevices are very hard to break into, especially the ones without SIM cards.
- Do not jailbreak your device – you will lose a lot of security features if you do.
- Always use the latest version of iOS.
Harden you iDevice
Make sure your devices are as safe as they can be. Out of the box -settings are not your best bet.
- Use a passcode that is eight characters or more (or fingerprint authentication).
- Use PIN code in your sim card.
- Disable control centre access.
- Disable Siri and voice commands.
- See if you have any configuration profiles (in general settings, under VPN). If you do, make sure they are something you need.
- Go to Settings > Phone > Call Blocking & Identification. Disable all but the apps you need and trust.
- Install only apps you need.
- Always use hardware encrypted devices. Data lockers, etc.
- Never plug your own media such as a flash drive to an untrusted device.
- Never plug unknown peripherals to your devices.
Network and software
- Segregate your personal life from the professional life.
- Use VPN which is always on. F-Secure’s own Freedome is one good option.
- Avoid TOR, it is not as safe as people think.
- Avoid email and Pretty Good Privacy (PGP) as long as possible – also not secure.
- If you must use email, get an email service that you pay for, such as Fastmail.
- Twitter messages are much safer than email. Let everyone send you Twitter messages.
- A good private messenger is Signal. Don’t use software owned by ad agencies: Skype, Facebook, Messenger, WhatsApp, Snapchat –also don’t use Russian-owned Telegram.
- For large file transfers use Resilio or Firefox Send.
- Never reuse your passwords (like we all tend to do).
- Use two step verifications.
- Use a password generator & safe software, such as 1Password.
How about paper?
- Some people get so frustrated with difficult electronic security that they go back to using papers. This is not always the best idea.
- Paper is hard to authenticate and it is hard to know who has read the papers.
- Printouts can be traced to the printer that was used.
- You can use tamper evident security pouches. Use two pouches and cover them with glitter. It is impossible to read the papers without getting glitter everywhere.
Tricks for travelling
- When you are travelling in places where your devices and data could be in danger, there are a few things you can do.
- Carry your devices with you whenever possible.
- Use tamper evident security envelopes for your devices if you must leave them. Take a picture, or use a picture comparing software such as Escape the Wolf Photo Trap.
- Cover your laptop screws with glitter nail polish. Take a picture, and you can see if someone has opened them.
- Hotel room doors and safes are not safe.
Tomi Tuominen’s presentation was part of a course “From Stereotypes to Covering Global Interdependencies” organized by Vikes and The Finnish Lifelong Learning Foundation in September 2017, in collaboration with Haaga-Helia University of Applied Sciences and Startup Refugees.
Article updated on 26th September: minor editing to the first quotation and noting that it is originally George Orwell’s quote.