Online Security for Independent Media and Civil Society Activists

tttA white paper for SIDA’s October 2010 “Exile Media” conference
Eric S Johnson
(updated 13 Oct 2013)

For activists who make it a priority to deliver news to citizens of countries which try to control the information to which their citizens have access, the internet has provided massive new opportunities. But those countries’ governments also realise ICTs’ potential and implement countermeasures to impede the delivery of independent news via the internet. This paper covers what exile media can or should do to protect itself, addressing three categories of issues:
 common computer security precautions,
 defense against targeted attacks, and
 circumventing cybercensorship,

with a final note about overkill (aka FUD: fear, uncertainty, doubt). For each of the issues mentioned below, specific ex-amples from within the human rights or freedom of expression world can be provided where non-observance was cata-strophic, but most of those who suffered problems would rather not be named. [NB Snowden-gate changed little or nothing about these recommendations.]

Common computer security: The best defense is a good … (aka “lock your doors”)
The main threats to exile media’s successful use of ICTs—and solutions—are the same as for any other computer user:

1) Ensure all software automatically patches itself regularly against newly-discovered secu-
rity flaws (e.g. to maintain up-to-date SSL certificate revocation lists). As with antivirus
software, this may cost something; e.g. with Microsoft (Windows and Office), it may re-
quire your software be legally purchased (or use the WSUS Offline Update tool, which
helps in low-bandwidth environments). Firefox, Chrome, Adobe Acrobat Reader and
Flash player, iTunes+QuickTime, Skype (and other IM clients), and Java VM should up-
date themselves (or prompt you to install updates), but verify from time to time. MBSA’s
scan is more complete than Windows Update. The free Windows Secunia PSI, Ninite or Mac OS MacUpdate patch managers tell you about needed updates and ease installation; IBM’s BigFix is for-fee. Always use the newest (e.g. 64-bit Windows’ ASLR is stronger than x86’s). Keep your smartphone’s operating system (Android, iOS) updated (i.e. don’t jailbreak them—doing so reduces security). Fully reboot at least weekly to ensure boot-triggered update checks and installs are executed. (~USD100/computer/yr to license software)
2) Use a good antivirus on all computers—one which automatically updates its virus-fighting capabilities (e.g. TMIS, McAfee, NIS, Avira, Kaspersky, CA, Immunet (ClamAV), F-Secure, Avast, AVG, MS Security Essentials, BluePoint (the latter’s the most restrictive, since it uses a whitelist), but use only one). An antivirus program in a “security suite”
will come with a firewall / intrusion protection system (the ones built in to