 All right, welcome back everybody. Next up is our invited talk at the crypto and privacy village this year. Please welcome Harlow Holmes discussing tip lines today. Thank you so much. Hi. How's it going? All right, so thank you very much for coming to my talk entitled tip lines today. I run an operating system called cubes. This is why this looks so horrible. But I think, yes, cubes life. I think you'll bear with me. Okay, so by way of introduction, my name is Harlow. I am the director of digital security at an organization called Freedom of the Press Foundation, of which we have several friends at DEF CON. And what we are is we're an organization that was founded in 2012. And one of the ways to describe what we do is that we provide 21st century support to 21st century journalism. There's a lot of people actually at this conference who do similar things. So my department, Freedom of the Press Foundation is kind of like based off of an error at least in my estimation based off of like three main pillars. The one is my department digital security training, consulting and other support for journalists themselves. So putting tools in journalists' hands in order to enable them to communicate with their sources and with the public at large more securely. But tools and so this talk is going to be focused on tools. However, I do want to like underscore the importance of the other two pillars. One being our tech team, our amazing engineering team based out of, well actually, I can't even say where we're based out of anymore. But one of our flagship products is something called SecureDrop, which is an appliance that is installed in a number of newsrooms across the globe that leverages, among other things, tour hidden services in order to facilitate, technically speaking, anonymous communication between potential sources and the newsrooms. And actually, if you have any questions about SecureDrop, we have our lead developer and one of our security and our director of security on that actually in the audience. So please do seek us out if you have any questions. It's a fabulous project and we're going to talk a little bit more about that later on. But so we have education and consulting. We have tools and engineering, but we wouldn't be anywhere without the third pillar, which is our advocacy. So we have, this is kind of the press freedom tracker, which is one of the projects by our advocacy team where we actually have reporters who document attacks against members of the press as they happen and report on them as, you know, like the reporters do. One of the benefits to this tool is that, one, you know, we actually have like a quantitative measure about how journalists have been attacked where, when, you know, like what tools were in play when that happened. So we actually have a number of data points in order to analyze these things. We'll get back to that. And also, because it's advocacy, we put this out in the public light. We actually have readers and, you know, page views and all that stuff. And thankfully, you know, through the work of our intrepid journalists, we're actually able to, like, you know, promote infractions on press freedom to the public eye. So we're nowhere without all of those three things and they all interlock and it's important. So on the menu today, what we're going to do is we're just going to, we're going to talk about, like, you know, some terms, both technical and legal regarding source communications and technologies in play to do that. We're going to find those terms. We're going to dive into the history of source communications. And then we're going to talk about, like, you know, the tools in play, the standard tools, discuss the technical challenges regarding them. So, like, there's always, you know, the devil is in the details, as they say, discuss the legal challenges that, you know, come up when people are using these things because I want you to remember that no matter how great a tool is and no matter how elegantly we can all collectively define what these terms mean and no matter how elegantly the crypto is implemented, there are always room for error, especially when the law comes into play. And then we're going to talk about what we're going to do in the future. And this would be, like, I guess, an appeal to any of you, whether you are journalists, whether you are technologists, whether you're writing tools, using tools in order to make this a little bit of the better landscape. Alright, so in my trainings, we always do this. We talk about how to, you know, like, do a threat model or whatever. Threat modeling, these are, this is a methodology by which you ask yourself a couple of questions. And you think about your relationship to devices and the things that you have in your hands in order to better assess exactly how best to use them. So the typical jargon is what are your assets? What is it that you have to protect, whether this is like some passwords or your contact list that might be linked to your iCloud or, like, you know, whatever, adversary from whom a lot of people think that their adversary is a three letter agency or four letter agency. But, you know, sometimes that adversary is actually, you know, a troll on the internet or, you know, somebody who's like incredibly bored. Consequences, obvious. The likelihood is actually a huge question. Because you have to ask yourself not only like what the likelihood that that's going to happen, what is the likelihood that like, you know, the NSA is going to be interested in your call logs, or when maybe the likelihood is actually that you're going to get your, you know, number sim jacked by like some kid who just has a like a grudge. And then finally we challenge people to use the tools in our trainings in order to like bolster their ability to protect those threats. And ultimately, we focus in training a lot on, you know, what we call the low hanging fruit, meaning that, like quite frankly, given, you know, the likelihood scenario, it's way more likely that someone will try to like, you know, get into your password because you're doing password reuse or something like that and to take over like your Twitter account than it is for someone to, you know, like use a super computer in order to like crack some some passwords or whatever. Right. This makes sense. You've all seen XKCD. Okay. So this audience is fairly technical, but I wouldn't be doing my job if I didn't just go over some basic terms in about like encryption and blah, blah, blah, blah. Okay. So content, right? What's being said? Okay, contents of your messages, metadata, meaning as and this matches really well to journalism, the who, when, where and how attributes of how conversations happen. These are what I've learned in working with a lot of journalists is that people are more attuned to the human lead legible metadata, meaning like people's handles, you know, like people's names, right, telephone numbers, etc. But they're less likely to factor in the digitally or like the more computer legible metadata, including like IP addresses and things like that. Obviously, we have the, you know, the duality of encryption in transit and encryption at rest, the stuff that stays on your machine because you might have downloaded the software programs that you run, you know, like the the data that actually lives locally on your device versus encryption in transit, meaning like, you know, why like SSL works or whatever. Of course, there's end to end encryption, which is the I guess like it's one of the most important tools that we have here, which I define, you can definitely like ping me afterwards to like berate me about this definition here, but like, you know, making sure that in addition to encryption in transit, you're actually using the service as or the service provider in the middle that ferries that information between parties to be as blind as possible, and that only the computer or phone in play in a particular conversation has the material available to decrypt and make a content legible, although there's still the metadata question and we can get into that later. There's also some stuff that like, you know, kind of cribbed from like the old days of like the cyber punks and OTR and things like that, like perfect forward secrecy, the fact or the ability for a piece of software in play to actually like cryptographically attest that only, you know, like a certain subset of information will be available at any given time and like historical things are not available because those keys are not available. And so obviously the difference between like snapchats, disappearing messages and something that we have in signal and plausible deniability, which is like cryptographically speaking, the property that would that makes it certain that attribution to any particular like parties of conversation is not or would take a lot more in order to deduce. But of course that like kind of falls down when, you know, like users are tied to certain imputable properties such as phone numbers and things like that. Okay, I'm like I'm gonna blaze through this nobody needs to see this but just so we're on the same page. Encryption, communicating with that encryption, everyone can see it, all of these things when we introduce these things we like to call them the adversaries, the people with visibility onto a network who can see and modify anything that's going on, which includes, you know, like the board Wi-Fi or sorry the board like IT department who like, you know, sees that you're on, I don't know, whatever Facebook, your internet service provider which, you know, like is given full opportunity in order to like, you know, put ads on top of your internet uses based off of the fact that you're like visiting certain sites on lawful interception the hackers in the room and lawful interception obviously when, you know, like a court order is served in order for somebody to like tap your connectivity or sit outside of your house with a van obviously communication with encryption in play so like, you know, all of these parties these adversaries still do have visibility onto the network but they're not allowed to change things they can only see exactly like what you're communicating with the website or, you know, like service provider in the middle of course has 100% visibility into not only like, you know, who's communicating to whom but also what's being said and that's why ads work so well and then end to end encryption where you're using the service provider once again as that blind person or service in the middle that just ferries blobs of data. Okay, so now that that's over let's just talk about how this is in play nowadays. So for instance you might have noticed that a number of newsrooms have started to publish pages where they advise potential whistleblowers potential sources interested parties to send them stuff just about every newsroom nowadays does have or, you know, two of a certain size has a landing page that instructs people not only how to use things like secure drop but also as I'm sure you've noticed how to reach people via like let's say signal WhatsApp both of which are end to end encrypted methods of communication but also like require the use of phone numbers and so that is excellent and it's actually like, you know, kind of a landslide in terms of the ability for these newsrooms to provide, you know, a certain amount of confidentiality with any of these sources but it is very, very far from perfect and there is a lot of asymmetry in terms of how those are being used. Also on, you know, such pages obviously, you know, people have standard email addresses that people send to but we're going to walk through like, you know, kind of the asymmetry of that and why that falls down. So let's talk about email really quickly. Email sucks, everyone knows that. Obviously, this is from the Snowden leaks of 2013 where it was revealed that the NSA among any other nation state actors could, you know, like entirely undermine the encryption that takes place between any, you know, like email, sorry, the undermine the encryption between parties and an email conversation. This is like old news, this is six years old news. We also know that services like Yahoo pretty much had like a secret, you know, like a development team that was maintaining a backdoor into any Yahoo account, email, email account that was actually not known to the main security and development team there. They didn't know that, they didn't know that there was like a secret cell within Yahoo that was just dedicated to do this, maintain this backdoor. We also know that like very, very recently similar issues had been discovered in Microsoft properties like Hotmail and who's using Hotmail still. Not only did this reveal or give access to standard metadata regarding parties that were emailing one another, but actually also like on certain certain classifications of Hotmail accounts, people had full access to the contents of those inboxes. So, you know, like email sucks. Recently, obviously, there have been attacks on DNS servers, you know, just on like, you know, the basic like phone book of the internet, which perhaps in the future might be considered a war crime to tamper with the phone book of the internet. But currently, like the state of things are that these systems are incredibly fragile and have been, vulnerabilities have been leveraged increasingly and in ways that often like, you know, just undermine the entire venture. Okay, so, of course, what you want to do is you want to shoehorn encryption into end encryption into the email chain. However, it's incredibly error prone and the current options out there are like, you know, they're really, really lacking. So, obviously, your go to for shoehorning end to end encryption into email is by using PGP with your preferred GPG client of choice. Yeah. So, this is what people do. It takes, first off, if, you know, who's here using PGP? Love it? Yeah, it's great. Okay. But like you might know that like, you know, you have to love it in order to stick with it because the nuances make it very, very difficult to actually use it in a secure way. Obviously, because you're still dealing with email, it doesn't squat, it doesn't quash the metadata question at all. So, of course, you know, your service providers still know who's communicating with whom no matter how many, like, burner accounts you have, you still have an IP address, obviously. And unless you're taking measures in order to obfuscate or, you know, like somehow change your IP address, like, you're not fooling anybody about who you are when you email. And so, that means that like, while, you know, a lot of journalists have the benefit of sitting with security professionals in order to get training and to answer any questions about how to use PGP securely, sources do not. They absolutely do not. And so they're absolutely prone to hurt themselves. And of course, there is no perfect forward secrecy. I mean, so back in, you know, the day, obviously, like the, okay, what's the key length for your PGP key? Anybody? Just shout. Great. 496. Cool. Like back in the 90s, it was like 128. And though these, these are crackable, like, you know, there are CTFs that we're all in undoubtedly playing right now where that's like a challenge. So in the future, like, you know, you can't expect your key not to be cracked and for all your secrets to be like spilled open. And of course, we do know from the Snowden revelations and other verses that like, you know, like there's just email that's being hoarded with the eventuality that those will be cracked. So whatever. So people, that said people still want to do it. And people are, you know, like switching to proton mail, which is an admirable product. I really, really do enjoy proton mail. I think that they have like a lot of excellent extra tools in addition to just like offering, you know, like PGP encryption in proton mail users, like right out of that. But there are still some, you know, problems. One, one thing that I've seen that I find particularly alarming is just like a little bit of like bad messaging around what proton mail can and cannot do. One meaning that like, you know, you get a proton mail account and automatically like your email is end to end encrypted, which is absolutely not true because obviously if like between proton mail users, yes, that works by default, but also because it's web based and because proton mail doesn't or so I believe proton mail does not want to assume that anyone's particular browser is capable of like actually, you know, like performing calculations on larger keys, you get a two, like a 2048 bit key by default, unless you like, you know, opt to level up a little bit. So that's one off bad messaging that needs to be kind of addressed. Also the fact that like, you know, unless you're emailing a proton mail user, that's not going to kick in unless you actually dig deeper into the settings and configure the proton mail from its web interface to work with PGP using, you know, like keys, public keys from other people that you want to contact on other email clients that you use via like the standard PGP key server morass, which sucks. And so like there's a lot of bad messaging once again, regarding how to safely use this. And you might find yourself in a situation where you're noticing that like a lot of people are just spinning up proton mail accounts and emailing people in the clear to, you know, a news orgs like, you know, like, I don't know, like Microsoft, hypothetically, Microsoft outlook backed email address, thinking that that is a secure method of communication where it's not. So there's bad messaging going on. A lot of people are using MailVloop. MailVloop, I'm sorry, these slides are a little bit out of date because MailVloop actually got a huge facelift in recent days. It looks great. It's lovely. So it looks better than this. But MailVloop is actually the current like go to for people who are still like wedded to using browser based email, email clients, including like, you know, anyone who has like a Google enterprise account or even like using outlook for web or whatever. So yeah, it's cool to be secure. That's how it looks. It would gives you a pop up window where you can compose a message without hopefully without, you know, having that that message saved to a draft folder, which is great. And then pops that into the standard composer window in, you know, your client of choice. There's also this is great, but there's also like a lot to a lot to worry about and actually have a slide about that a little bit later. So I'll get back to it. Then there's also Tutanota. Tutanota is also an admirable client that provides and to end encryption for, you know, like email parties. But it still actually has like its pain points. That's what one notably was the attack on Tutanota users that leveraged the fact that the domain Tutanota.com, which is legitimate, that's legitimate. However, a nation state attacker spun up a server at that looked exactly like Tutanota at Tutanota.org, which given the communities that we work with, primarily, you know, like potential whistleblowers, human rights defenders, et cetera, they're definitely like attuned to trust a dot org way more than they would trust anything else. And so this was actually a really like horrifying and effective way of like luring a bunch of vulnerable people in vulnerable populations to a site where they just added their, you know, like username and passphrases to open up their Tutanota accounts. So the fact that like, you know, they're like despite all of our bests, our best attempts, like the fact that nobody went up like DNS twist in order to like just kind of recognize like where those vulnerabilities are, that is going to those attacks like that are going to increase. One thing about Tutanota actually is that they have a like a nascent feature. It's in beta, but I highly recommend people like take a look at it and, you know, play around with it, which is called like secure connect, where you are able to spin up a subdomain and we'll get to that in a moment in order to enable like anonymous submissions via the Tutanota email chain from, you know, like potential sources or whatever. So this is like it's an interesting project and still in beta and I would love to hear from, I mean, not only I, but also like Tutanota, I'm sure, would love to hear from the developer community about like the sustainability of that model. So to recap there, I guess I'll go backwards, like MailVelope is the only like, you know, web-based like PGP client that actually like has quote unquote the ability to interface with your onboard native GPG client. So whether you're running like, I don't know, GPG for when or, you know, GPG tools or, you know, the native Linux based one. However, it is dicey. It doesn't always work. And so one problem with that, that we that I see a lot in the field is actually like people losing their keys because, you know, they have to update Firefox and like there is no backup because the interface between MailVelope and your native GPG client is a little bit incomplete, has a lot of bugs in it. So yeah. And also as far as like, you know, the Tutanota example goes where once again, it's incredibly admirable that you can go to, you know, like, you can go to leaks.newspaper.org and then like create this email chain, the set, the very, very fact that, you know, you are going to like a sub domain and that's what's required currently by Tutanota is actually like really, really problematic, especially if, you know, legal gets into play. And so this is the first part where I want to just highlight the discrepancies between like, you know, what's technically awesome and what's technically elegant and technically works and the way that, you know, someone might be investigated by law enforcement. Thanks. Halfway. Cool. All right. So without further ado, I'm just going to segue into what we teach people about how to use the tools. My apologies in advance to all of my colleagues who've seen this a million times. Okay. So this is the matrix where we instead of like telling people use this tool, use that tool, blah, blah, blah, we actually teach people how to evaluate whatever tools they have at their disposal along a matrix because it's always going to change. And also this matrix is entirely subjective, meaning this is what it looks like from my perspective. And we always tell people that their mileage may vary. So on our Y axis vertically, we have, you know, like what's excellent in terms of like of their technical ability in order to maintain a confidential conversation, i.e., do they offer end to end encryption? Right? Yes. Signal definitely does. And, you know, like, how do they treat metadata? Can we actually prove that? Is there, you know, like a, I guess, precedent out there where people, you know, where these attestations have been challenged and came out victorious versus stuff that sucks. But then we have the, the, our X axis, you know, horizontally where you have to talk about availability and how appropriate a tool is given a conversation. So in my world, I put signal here because I know about, you know, like obviously we know, we know about signal. I'm not going to go into it. It's great. But the fact that like, you know, only like a handful of people in my life increasingly more use signal makes that or puts that in this quadrant here. Whereas WhatsApp, which of course has, you know, end to end encryption similar to signal. But the fact that it's owned by Facebook and what they're doing to the metadata and blah, blah, blah, I'm going to get like a little bit into that, but not too much. The fact that like up until fairly recently, you know, like all of your chats were like backed up to iCloud or, you know, Google Drive or whatever, like these are decisions that bring it down on our Y axis. But you, you know, conversely, you have to think about the type of conversation that you're going to have. The fact that literally like WhatsApp is on like 1.5 billion phones on the planet, that's huge in terms of accessibility. The fact that like, you know, if you're speaking to someone who like for various reasons, if you have something better like signal on your phone, would get them in trouble. Whether that's somebody who lives in another region, someone who's in a, you know, a very, very precarious situation where like, you know, like intimate partners might be looking at their phone for things like that. You know, these are going to color your, your decisions. Facebook Messenger sucks. Obviously, if you have any Facebook app on your phone, like you're just owned by Facebook, as long as people aren't using SMS messages, which for so many reasons, not only like, you know, from like the legal, like, you know, we can just like subpoena a whole bunch of text messages, but also from like a hacker, a hacking perspective, like it's just a bad idea. We teach people about leveraging, you know, safety numbers in order to like actually trust the conversations that they're having, despite using signal, but like a lot of people are not doing that. And so once again, I'm going to come back to the asymmetry here, but like, this is not happening, verifying safety numbers is not happening on a, on a larger scale. People don't also realize that like the, the precarity of group messaging, meaning that, you know, like, I don't know if you've noticed, but like, you can leave your own signal group, but like you can't eject anyone from a signal group. And so as, and this is like, as people's groups grow in order to like talk about sensitive projects and things like that, depending, especially for like distributed teams, this actually comes into play, meaning that like, you know, someone within the signal group might have been compromised, no one has any idea, and you have to, you have no choice but to like burn that group to the ground, never return to it and start up a new one minus that person who you suspect. And this is actually not an elegant solution at all. It doesn't work. People are remits to remember expiry on group messages especially. You know, so what we do advise people to do is to like set up their like, you know, a one week expiry as soon as they join a signal group or as soon as somebody notices it, but this is not, you know, like it's not a default and it's not something people are doing. Yeah, for the interests of time. Also, so sealed senders is actually a little bit of a, a daisy bit. So sealed senders in signal allows for a little bit more obfuscation of metadata within signal and that actually becomes increasingly important, but it's not perfect. But the thing about sealed senders is that while that can be enabled very, very easily for members, for people that you're talking to who are in your contact list, if you're using a phone as a member of, you know, like of the press or whatever, that you're, you have to like enable it for everyone. I see a yes. Good. Yeah. So the question was, I mean, if I'm correct, how does, or does that have any effect on being on background? Yeah. So, okay. So that's an interesting question. And I'm just, I'm going to spit ball with that. So the question was like, does, you know, enabling sealed senders have any impact perhaps on the type of sourcing that you might do? So first off, I, you might actually want to seek out like and get that or ask that same question to other journalists who are like incredibly technically minded who are actually at this conference. So like Lorenzo or Joseph Cox or Micah or whatever in order to like talk about that. I mean, I think that that's an interesting question regarding whether or not you can take these technical properties and like use those to kind of enforce, you know, like very, very soft standards within journalism, such as like whether a source is on background meaning that you're, when you print the article, they're like, you're not necessarily going to like, you know, attribute certain information to them. They just like gave you a little bit of background or whether they're on the record. And in which case you might actually like leverage, you might leverage disappearing messages in order to do that. But the thing is like, these are soft standards. And I mean, I can't really imagine how any of those things can be enforced technically. All right, any who's not going to. So another thing is like, SIM jacking is still a problem, meaning somebody ganking your phone number and impersonating you. And of course, if you have like, you know, a public presence where you're advertising your phone number to literally everyone on the war in the world, that actually might be, you know, something within your threat model, telling people to set a registration pin is super duper important. So, you know, you can't authenticate signal on another device unless you have that pin. Also, the leakage, and we're going to talk about this a little bit later. But I just want you to note that there's like all sorts of like third party or sorry, like a side channel leakages that can happen. So if we're talking about, you know, like badges and things like that, being sure that like if someone, you know, like looks at your phone, even when it's locked, you don't have like this big old bubble that says like, you know, sources, here's the p tape or whatever. So leveraging those things to work for you is really important. It makes all of the difference. We have guides on our website if you want to like talk about that. So but then I guess to bring it back, like there's huge privacy implications. So once again, courtesy of Dan Sinker of Open News, one of my mentors don't so people have the idea nowadays because like, you know, end to end encryption as it's been enabled by all of these tools is so convenient and so like omnipresent that like having, you know, the this type of sensitive information come to the phone that you have in your pocket is incredibly problematic. And quite frankly, you know, the developers of signal did not intend or did not ever expect that it would be the case that, you know, you could conceivably get the p tape on your phone and then call your mom and then take a lift home. Like that's, that's huge. So you might have seen this Joseph Cox's article about, you know, just like the ephemerality of sorry, not the ephemerality rather the the fact that like, you know, our phone numbers are, you know, like so intrinsically tied to our identities, right? So like you have someone's phone number, you have that person in general, right? But yet this still happens. Hello. So you obviously you'll notice that like, you know, like a lot of reporters nowadays like do have on their their public presences, like this is the phone number come like, you know, I promise like I will pick it up at any time to talk to you. But counter that with a very, very thoughtful article written by Gillian York of EFF about, you know, like just like how you have to factor in your things, your identity, like things like your gender, your race, your, you know, like ability, your everything into like doing this type of work, if you're going to use like signal as the primary or like any phone number base as your primary. And quite frankly, like, you know, like, I have huge amount of respect for both of these men up here, like I really, really do. I love them. But like you have to imagine that this type of openness is only afforded to people of a certain type. And so we need better solutions, because not only like for protection, but also it definitely like affects the type of reporting someone can do. And I want you to think about that. So we go to virtual numbers. Obviously, like, you know, like a Twilio, any Twilio fans out here? Yeah, they're great. It's like actually my favorite toy is Twilio. Ask me about Twilio, my Lord and Savior. So Twilio has, you know, allows you to spin up very, very affordable virtual numbers in order to link that to a signal device. There are of course, like, you know, the caveats that you only can, well, one, you can only, you know, like on an iPhone, for instance, have one phone number associated with signal on Android. However, you can have many because Android allows you to have user profiles. So you can spin up like X profiles, associate them with X signal numbers and toggle between them, you know, like on whatever schedule that you you you figure out for yourself. But there are some caveats. So and this is to prevent spam and other like, you know, types of fraud providers, like WhatsApp, primarily. WhatsApp, you still allow you to register silly Twilio numbers. I have a grandfathered in WhatsApp number that I got off of Twilio. But they no longer allow you to do this. And the reason why is because if you for instance, look up any phone number, you might notice that the carrier type is registered as voice over IP, rather than mobile landline or whatever. This actually makes a huge difference to the point where like, in certain cases, you might at best receive a whole bunch of captures that you have to go toggle through in order to associate that number, or it just might sinkhole you and not associate your number at all, depending on your service and depending on the method by which you're trying to associate this phone number. So this is I went to Bletchley Park, which is the the birthplace of modern computing and cryptography and all that stuff. I tried to get this phone number I failed. I couldn't get it. So a lot of people, you know, like if you are using the virtual number, usually that actually links up to like some sort of desktop situation and which is especially useful if you're if you have multiple reporters who are working on the same story who are receiving the same tips. This works really, really well for distributed teams. It looks it works really, really well. But there are so many limitations and there's so many danger points. So first off is the logging. There was an article that came a couple of months ago regarding just the fact that like it on a Mac, you know, like the signal or the notifications, the desktop notifications that come in through like growl or whatever, we're actually also being like logged to a separate side channel like database that was entirely like accessible, especially from a forensic standpoint. So you have to think about that. Also a conundrum within newsrooms specifically is the it culture there. So like, yeah, you're receiving, you know, like you have this tip line that is on your work provision desktop. And if it can remote desktop into your computer at any time, that actually is a huge, huge detriment to how well you can maintain a confidential conversation. And so I don't know how to get around this. I personally do not have like the clout within any newsrooms to move that decision in one way or another. I can only just bring it up. And also the same thing goes for full disk encryption. Obviously we know why that's important. But there are some places where full disk encryption on a work provision laptop is not a possibility because of like brittle IT infrastructure. So some people are doing some cool stuff using like a variety of like third party usually open source developed clients in order to like better leverage signal, especially for desktop or whatever. Some that I want to shout out is like the signal CLI by a Sam Kay on GitHub, Finn 93's signal D, which I like a little bit better, which I learned her out. Cigarillo, which is being developed by the Guardian Project, which is also another group of mentors of mine, that actually is being leveraged into help desk software. You might want to have a look at that where you can allow people to have like an end to end encrypted conversation with their web client, which is the end point. And then like the end the encryption kind of drops off there because it's more like point to point encryption. But it's still really, really useful if you want to like mass triage. And this is like excellent for incident response, as you can imagine. Tuttle developed by it's an open source project. It's super in beta. It's not ready yet, but it's really, really awesome by Parker Higgins within our team at freedom of the press foundation, which actually allows you to spin up a signal tip line, we'll say, over a tour hidden service, which is pretty cool. However, these are the caveats. How are you managing attachments? Attachments are really, really, really hard to manage on any of these CLI clients. Also, disappearing messages, support for that is really, really dicey once again. And so you might find yourselves in conversations where like disappearing messages just like drop off and maybe people don't notice. So you're actually like creating permanent records because a lot of these CLI clients have bugs where they struggle to maintain the period for disappearing messages. Yeah, I talked about, you know, the fact that it's no longer end to end encrypted. It's actually rather point to point encrypted. And so if you are really persnickety about like your standards for end to end encryption, that can be problematic to you. And also it's Java. Kind of finally. All right. So we have all these really, really cool tools, but you have to once again appreciate the difference between stuff working well in math and stuff working well for you in life. So encryption, right? Bearing parallel construction, big caveat. I don't have any knowledge of any of these tools that we've been talking about that we love so much being like, you know, entirely backdoor or whatever. But that said, really, like, there's so much opportunity for people to leverage, you know, any of these like side channel attacks in order to, you know, like pretty much get your data anyways. So this is who? Okay, that's okay. So like, you just get a warrant and you take someone's phone, right? In the more elegant scenarios, you would get, you know, your lawyer would be, you know, like they would have to like, you know, enter into discovery, there would be like search terms that you can like query the phone for and get your data if you have to comply with that. And you know, you do. Or in the least elegant cases, and this happens a lot with like, you know, people on the ground. So like when, you know, members of the press actually have their phones confiscated at an event that they're covering, when human rights defenders like, you know, have their phones taken from them in a border crossing, when's, you know, like whatever, if somebody takes your phone at like, I don't know, coming in through, you know, CPB or whatever, they'll just take your phone and put it on the Xerox machine and copy it, copy what they see. So I did want to bring up that, you know, like recently with the Natalie Edwards case where, you know, like nothing stopped despite the fact that they're using WhatsApp or whatever, like nothing stopped a subpoena from getting what it ultimately wanted, which was the content of those messages, because that resided on the phone and that was entered into discovery. Thanks. There's also like, you know, kind of like scarier things that keep me up at night. Kudos to Micah, who in his recent article in Intercept about, you know, the way that, and actually I'm going to use a term by a professor at USC Annenberg, Mark Ambender, where we're now like at a point where within like the digital security sphere, we're at the point where we are reverse engineering indictments, okay. And so what keeps me up at night is like, you know, just like these side channel attacks, such as the fact that like, yes, iMessage is end to end encrypted, but the fact that Apple, you know, does have like a certain amount of unencrypted data that they have, that they keep up to, you know, 30 days, totally subpoenable, such as iMessage capability query logs, which, you know, like you think about like things like presence, things like, you know, like someone is typing, like things like that, that actually give off a lot of metadata that is incredibly snoopable, and you don't need to undermine encryption in order to get that. So that's dark. And so once again, a phrase I like to use a lot is the asymmetry of preparedness. First off, don't use WhatsApp if you're covering national security. Probably want to use signal, probably want to use something way better than that, probably want to do something that we're not even going to discuss in front of a camera. Think about the, you know, once again think about your settings for like logging metadata and data retention and whether or not you can actually like maintain that plausible deniability however you can. For journalists, I always tell them that, you know, like you have, you probably have good legal counsel and good for you, but your source is not going to. You probably like, you know, have the benefit of going through a training, so you know how to like take care of that low hanging fruit, you know about full disk encryption, you know about like the matrix and like why signals great, you know all of these things, but your source does not. And they're not, they're going to fumble. So in closing, let's talk about secure drop, because I would be remiss if I didn't secure drop is, I'm going to kind of breeze through this because I don't have time. This is the parking lot of the Watergate. What I think is really, really cool about secure drop is like actually this slide is a little bit inaccurate because this is just going to a regular website. But when you think about like, you know, using hidden services, the fact that you take your three hops and the service takes its three hops to meet you in the rendezvous point that's like kind of exactly like meeting the parking lot and I dig it. Currently, secure drop is a little bit cumbersome and so we're always working on making that better. It and currently like, you know, people take submissions, view them on the secure viewing station, which is tails based and air gaps. We love it, but increasingly like if you want to actually like work with the data that you receive, there's so many command line tools, but they fall down, especially because the end users, these journalists are terrified of the terminal. USB sticks often suck and like break. Also like updating and also adding new software that's more capable to a sneaker net or sorry to an air gap system requires sneaker netting and people are not really attuned to that. So it takes a lot of hand holding and most people don't do it. And also you need a printer. You need a printer and that's like ridiculous. But our team has been working on the next generation of that, which is actually based off of the cubes operating system, which is this ugly thing that you see here. But it allows you to leverage a lot of tools like what you had mentioned, Ethan, in your talk about, you know, just leveraging like a whole bunch of tools in order to actually work with and interrogate the data once it comes through. So we're really, really excited about that. Ask our folks if you have more questions, it will totally streamline this cumbersome process down to something a lot more manageable and more fun. Onion share also for moving bigger bits of data. So one thing that I do encourage people to do is to think about not only using secure job as like a submission platform, but also using it to like perhaps facilitate how and choreograph how you might get like data, especially if it's big data onto your platform. So like leveraging and learning how to use tools like onion share by Micah is really, really awesome. There you go. Okay. Last thing, be available everywhere. Different people are going to have different comfort zones and giving them the opportunity to reach them on whatever platform they might be competent on is the best thing that you can do. More technically speaking, one obviously your contact page, right? You know, you're using HTTPS, right? Okay. And there's like still more you can do. Ask our people if you have any questions. Minimize the ads and the tracking and stuff like that. Do not use subdomains because obviously leaks.news.org is really bad in a subpoena. And also leverage like the comments of the internet in order to mirror this information. So it's you allow more plausible deniability in the first contact situation. Also no matter what you decide to do, if you're spinning up some stuff, please prepare for it either to succeed wildly. And so you have to like prepare for, you know, like abuse and misuse and things like that. And I got to stop and be able to tear it down. Okay. Yeah. All right. The floor is now open for questions. Thank you all of these people. They're great. And goodbye. Okay. We have five minutes for questions. So if you have questions, guys, you can just, you know, peer. So I saw the matrix that you had with the, sorry, the signal and the messaging. So as a community, I know we hate proprietary algorithms, but how would you fare Telegram? Telegram? Yeah. So like officially, I really, really, I'm not sure. I tend to like have a moderate amount of faith in their claims of end-to-end encryption between two parties. However, this is another bad messaging problem where like no one is, people are getting deceived about like, you know, there being end-to-end encryption on like group chats and stuff like that. So that does worry me. Yeah. Also I have like conspiracy theories about like when they got slapped with that like $16,000 fine or whatever for having too good encryption. And I thought that that was just like theater, but that's a conspiracy theory for me. Yeah. But one thing that I do appreciate about Telegram is that they have a very, very rich playground to play in for developers. And so like, you know, like spinning up like proxy or bots and proxies and things like that is like actually really, really interesting. So yeah. Thanks. Great talk. Thank you. Yeah. So if I put signal on my phone and I delete it, yet if I go to a TSA, not TSA, but some other country and they're gonna look at my device, it's not gonna be installed, but they're gonna see it's one of the devices, I mean, one of the programs I installed. How is there a way, is there a way for me to just remove it from the cloud so they know that it's not, I never. Okay. So like not really, and it also depends on your platform. So if you are like, let's say you have iCloud connected to your iPhone, that is definitely information that is in your iCloud. And like you might notice, like if ever you get a new phone, it's like download the apps that you've already really loved, you know, so there's that the same thing for Android. And so if you want to, I guess like, have less linkability, then the easiest thing to do would just be to log out of any of those services. And it depends on how far you're willing to go in order to maintain that on linkability. Thanks. Hello. Hi. So I guess my question is related to IT departments in news organizations and maybe helping them to help us, so to speak, and help journalists be a bit more anonymous or help keep their sources anonymous, that is. So, you know, large newsrooms will probably won't have IT departments that are very flexible and very small newsrooms will probably be extremely flexible, but like have, is there any consideration of maybe working on training materials to help medium-sized news IT departments that use management tools and maybe find ways to configure their management tools to be a little bit less surveillance-y? Yeah, and that would be actually a really, really great project. I think that, or at least from my perspective, one thing that I haven't had the bandwidth to do yet is to focus less, I guess, on like, you know, journalists as end users and focus more on like the infrastructure that supports them from an IT perspective. And yeah, all of those things definitely need to be done. I think it would be really, really like groundbreaking to see some kind of programming that addresses, you know, the IT needs of a news department that interfaces with potential whistleblowers that would be groundbreaking. All right, thank you. Any more questions? All right, thank you.