DEF CON 29 - Agent X - A look inside security at the New York Times

Aug 5, 2021 17:35 · 8293 words · 39 minute read

- Hi, I’m Jesse Krembs, and today we’ll be taking a look inside security at The New York Times.

00:18 - This talk is also unofficially titled, “A media security primer for hackers”, but it’s really for both journalists and hackers.

00:27 - Most talks start off or end with a thank you at the end, right, rushes off stage, thanking all their friends, but really I’d like to start this talk off by saying thank you to a bunch of people.

00:38 - First of all, my girlfriend for her love and support and for putting up with all my craziness when I’m like, hey, honey, I need you to get out of the apartment while I record my talk because I don’t want anyone to see me doing it because that would be weird.

00:52 - I’d also like to thank everyone at The New York Times who has reviewed this talk with me and helped me make improvements and helped me dot all the I’s and cross all the T’s and make sure everything looks really nice and sharp.

01:04 - We really do try to get the story right every time.

01:09 - It’s been a crazy couple of years, and in that time we’ve all gotten to watch a lot of movies and have to watch the Fred Rogers movie, it was really great.

01:17 - And there’s a scene in that movie where they take a couple of moments just to think about all the people in their lives who have helped them get to the stage in life where they are right now.

01:26 - And we don’t do that enough. So let’s just take a few moments right now to just sit quietly and think about all the people that have helped us get to where we are in our lives today.

01:49 - All right, all right, all right, let’s get this show on the road.

01:52 - So I’m really gonna quickly start off with my journey, I think this will help reveal some of my biases and some of the stuff in my life that kind of formed how I got here and why I think certain things are needed and some aren’t.

02:05 - I’ve been a long time DEF CON goon, my first DEF CON was DEF CON 6, and that was a really pivotal moment in my life.

02:14 - Working at DEF CON really has given me a lot of confidence, but it’s also given me a lot of life lessons in, A, working with really tight timelines, really chaotic environments, really challenging people, and really learning about how to deal with just time-based pressures in a technical and logistical way.

02:37 - From my experience at DEF CON, I ended up starting a nonprofit called The Hacker Foundation where I had my first interactions with the media as a subject, but also doing a little media support, which is also very interesting.

02:50 - And that was great. And then for years I had regular jobs, I was a bike messenger, a caterer, stuff like I was a webmaster for a brewery, and I was a wireless engineer, and then I was doing offensive security for the phone company.

03:10 - Those were all great jobs, people I worked with were wonderful, but I really felt like I needed to just look a little bit more at stuff.

03:19 - And I heard about this thing called the Internet Freedom Festival in Valencia, Spain, and I decided I’d go do it and see what it was like.

03:27 - It was really different conference from DEF CON in a lot of ways, a lot of, it was very different from a lot of hacker cons, but similar in the way that all festivals are.

03:37 - And I got to meet a bunch of journalists from around the world there, and I was talking to, they had these.

03:43 - Okay, so they had these little tiny beers called cana in Spain for one euro, it’s really great.

03:50 - It’s a little small beer, it’s got just as much beer as you want.

03:53 - So I’m having a beer with this journalist and we’re talking about stuff and he’s like, oh, I have this source I want to talk to.

03:58 - I want to talk to kind of, I don’t wanna be overwatched by the government.

04:04 - And so I’m like, okay, we’ll just call him on Signal, that’s a really good method.

04:08 - And he says, oh, no, no, he doesn’t have a cell phone.

04:12 - I’m like, oh, okay. Well, you have to come on landline, here’s some stuff you can do to minimize the risk, you can’t negate it, but you can minimize it.

04:22 - And he goes, oh, no, no, he doesn’t have that type of phone, he has this type of phone.

04:27 - And I’m like, oh, interesting. So this is the importance of getting more details.

04:34 - So basically the source that he was trying to talk to was a villager who had a party line.

04:41 - So if you called that number, you called everyone in that village.

04:45 - So, and I was like, this is a really hard problem, I don’t have a solution for you now.

04:49 - And I still actually don’t have a solution for this problem, but it stuck with me, it sticks with me today.

04:54 - I think about this problem, I think it’s a really good, an interesting problem.

04:58 - And these are some of the technical security challenges that journalists are dealing with.

05:04 - And so I left Valencia, Spain, went back to my regular life as it were, but I kept thinking about what was this, this stuff.

05:15 - And I started spending more time in New York City, and there I saw someone very special there.

05:25 - And then I saw a job open at The New York Times, I said, no, you won’t get the chance to do this again, you should apply.

05:33 - So I applied, I contacted someone I knew with The New York Times and said, hey, can you reach into the pile and pull mine out because I have a non-traditional background, my resume not even get seen by anyone.

05:47 - So my resume got passed around to some folks, they looked at it, I did a phone screen, I did an interview, I did another interview, I did a day’s worth of in-person team interviews, and they liked me, they really liked me.

06:04 - So I got a job offer and I took it, and that’s how I ended up with The New York Times.

06:09 - I applied for the job, get the job, not that complicated, right? And since day one, it’s been a very exciting, fulfilling and rewarding job.

06:19 - And that’s the quick version of how I ended up with The New York Times working full-time in media journalism.

06:27 - I think it’s important though to think about what gets you up every day, the getting the job is not the end of the journey, it’s the beginning of the journey or it’s beginning another phase of the journey.

06:39 - So one of the things I really like about my job is that I think this is sort of good, I think news-making organizations, The Fourth Estate is a key part of a country and it’s really important to be an engaged citizen in that country, so I basically do that all the time now, which is really nice.

07:00 - The job isn’t just about protecting shareholder value, we are a publicly traded company, but it’s not just about making money, it really is a very mission-oriented job and company, which is great, I really enjoy that.

07:14 - The problems are hard, they’re hard in both technical ways, but also in logistical and very human ways.

07:23 - If you have a really whizzbang, super-awesome technical solution, but you can’t explain it to somebody over the phone, or they don’t have the equipment, or they don’t even know how to use the technology, it doesn’t matter, right, it won’t solve the problem.

07:36 - So coming up with solutions that are really, work in a variety of environments and a variety of stressors is really, really a delight.

07:49 - So that’s great. The people at The New York Times are characters, there is tons of great characters, they make movies about these people, but then you end up meeting them in the hall and having coffee with them and being like, huh, interesting.

08:02 - They’re a fun bunch, and they’re driven and they’re passionate and they’re persistent, which is I think a lot of qualities that hackers enjoy.

08:13 - And the work is evergreen, right? The work we do is, I always feel like every day I go in, we’re always getting new challenges and new things are always popping up, the news happens all the time.

08:27 - I also think that there is a kind of cousin relationship between journalists and hackers.

08:33 - We’re both very interested in having information free to the public, so the public can make well-informed decisions.

08:41 - Hackers really tend to be very interested in acquiring info and showing it off to their friends because look, what I can get.

08:48 - Journalists tend to be a little bit more downstream, they tend to be more like, look at this information I got (laughs) from some hacker, this is great, let me show it off to the world.

08:58 - They also tend to be very rigorous in their analysis of that information, which I think is much needed.

09:07 - So let’s just really quickly talk about New York Times by the numbers.

09:12 - There are no typical news organizations, The New York Times is an atypical news organization in many ways, it’s 169 years old, maybe 170 is their birthday next year.

09:24 - Yeah. As you can imagine, a company that old has a lot of technical debt, but it also has a lot of history, and that history is good.

09:38 - One of the great things about working at The Times, in the before times was that we ran in the office and many floors below the one that I work on is the archive.

09:46 - So I went down to the archive and got to plough through the paper card catalog index for Felix Krembs, who is, okay, I believe a great, great cousin of mine or an uncle maybe.

10:04 - Anyway, he was a big time broadway actor at one point, and so I got to find his name in the card catalog, then go into the actual like archive stacks and pull out the digital photos of him that were provided by his agent to The Times, which is and hold them and showed them off to my family, which was great.

10:20 - Really a wonderful experience. We have a lot of great people who work at The Times, we have 4,500 employees, this includes reporters, this includes people that print the paper, this includes admins and tech staff, this includes developers.

10:35 - We have 1,700 reporters worldwide, which is a huge amount of people to have.

10:41 - 200 of them are overseas. Those 200 are really some of the best reporters we have because they’re the only person you can sometimes send to a place because they’re the only person logistically available to do the work.

10:55 - So they have to be well-prepared and on top of the situation and really understand what’s going on there.

11:00 - They’re really at the tip of pen, it’s very exciting to work with our foreign journalists or our overseas journalists.

11:06 - We have 500 developers, no other company makes The New York Times app and website like The New York Times.

11:16 - It’s new territory for everybody all the time, so we’re constantly learning and being challenged and developing new things with our developers.

11:26 - We have 31 foreign bureaus and 16 national bureaus, so we have offices globally and nationally and a variety of other facilities.

11:34 - We are a factory that prints newspapers, which is pretty cool.

11:38 - And then now we also have a very diversified workforce who lives and works all over the world and the country.

11:50 - So that’s a whole new challenge is just that geographical spread, right? We just have to keep everybody safe, and (mumbles) as it were.

11:57 - There’s 7. 8 million subscribers, that’s a lot of subscriber data, that includes all kinds of PII.

12:06 - We have 100 million plus registered users, which represents a huge amount of data, which we also have to keep safe, of course.

12:15 - And then if you actually think about that, classic InfoSec training, CIA training, confidentiality, integrity and availability, not the other CIA.

12:26 - So we have to get the paper out all the time, we have to get the news out on the newspaper and on the website.

12:33 - So, and that’s average weekly audience of 7. 6 million people, that’s a lot of people to reach.

12:43 - We move a lot of data just in general, right? We print, we produce 150 plus pieces of journalism every day.

12:51 - And it’s not just print, it’s not just photos, it’s podcasts and TV shows and live streams of events and stuff like that.

13:00 - And finally, there’s a plus sign after all the stuff on this slide, right? That’s because we’re growing, and growth brings its own challenges.

13:08 - I used to work for a dying industry, and that has its own challenges too, but growth has a lot of challenges.

13:15 - It feels fun, but it’s also very scary. And so I think that’s a whole other interesting kind of pseudo number.

13:25 - So that’s The New York Times by the numbers in a nutshell.

13:30 - This isn’t just me, I’m not the only person at the working InfoSec at The Times or even work in security.

13:36 - The InfoSec team at The New York Times is composed of the security operations team.

13:40 - I work on that team, we are the front lines, we answer and advise on all kinds of questions and issues every day, every hour.

13:49 - I’m on call at this very instant recording this talk.

13:52 - We have an intelligence team who does the forward and backward looking intelligence gathering to help us figure out what threats we need to align to, and where to best use our resources.

14:02 - We have an education team, education is a huge part of what we do because of the independence of so much of our staff.

14:11 - Having well-educated, well-prepared staff is really very, very key.

14:16 - Like I said, we have our own apps, so then we have our own AppSec team, which is really another key, key thing.

14:24 - We have a secure architecture team because we have, imagine this, a giant technical, a giant cloud presence.

14:34 - So, of course, we have a secure architecture.

14:36 - Incidents happen, if they didn’t happen, none of us would have jobs.

14:39 - So having an incident response team who can guide both, who can help the InfoSec team do their job better when we’re responding to incidents, but also guide the other people involved in that incident through the process.

14:55 - It’s wonderful. I live in New York City, and New York City has been hit with all kinds of business continuity events within my lifetime, and not just like in the last 20 years.

15:09 - So that’s another thing that we, is also with the InfoSec sphere.

15:12 - And then finally, of course, we’re a business, so we have to manage our risk and our compliance needs just like every other business out there.

15:20 - We’re not the only security operations at The Times, we also have a physical security team, nationally and internationally.

15:29 - And all three of these teams: InfoSec, national and international, all meet together and the threat response team where we trade intelligence and we work on ways, we overlap because increasingly there is a great deal of overlap in what we all do together.

15:46 - That’s just the security apparatus, right? That’s the people that have security somewhere in the title, but we also have really wonderful sys admins out there who really hold the standard and do a really, really good job of making sure that our systems are secure, so we don’t have to bug them.

16:05 - That’s so nice when you have really top motivated sys admins making it happen.

16:11 - So we don’t have to be like, hey, it’s back to Tuesday, you’ve got to patch that.

16:16 - They’re already like, to patch that, I’m like even better.

16:19 - We have a great end-user support team out there who just listens to our users.

16:23 - So when the user says this thing, (laughs) and they’re like, oh, that’s a security event, you need to talk to these people right now.

16:32 - And then we have folks in the newsroom: editors, support staff and journalists who help us coordinate, inform us of events, inform us of threats that they’ve gotten both in the physical, but also in the technological sphere, tell us about all kinds of stuff they’re hearing on the street, which is also really wonderful.

16:50 - And then also the past has helped us. We’ve learned a lot from the past and from the people that have been at The Times before us who have helped build the organization and the team.

17:04 - So it’s just not just now that got us to where we are.

17:09 - The present is made by the past and the past has contributed mightily.

17:16 - So here’s a quick guide for journalist security for hackers, but also conversely if you’re a journalist, this is also for you.

17:27 - This is a really great graph that kind of shows the threat continuum for journalists out there.

17:38 - And on one side we have murder and on one side we have litigation.

17:45 - Death is a very real concern for a lot of journalists, this is very high-risk job in a lot of ways.

17:51 - It shouldn’t be, but it is. And it’s not typically one would consider a high-risk job, but in 2020, 66 journalists lost their lives in the course of reporting.

18:01 - Just today I was reading in the paper about a reporter who lost their life in a conflict area.

18:10 - And the week before a journalist also lost their life covering a parade.

18:16 - And targeted killings by repressive governments, they’re too often willing to kill journalists to keep citizens in the dark about their actions, it does happen.

18:26 - So we always have to factor that in when we’re thinking about the physical security aspects of journalism.

18:33 - This also kind of plays into the InfoSec, which is not traditionally something we would do, but increasingly repressive governments and non-state actors use technology to assist them in precursor activities to murder.

18:55 - Going down the matrix really quickly, we have harassment.

18:57 - I have a slide for this, we’ll talk about this in a bit.

19:02 - So the security team at The New York Times doesn’t protect journalism, we protect journalists.

19:09 - And journalists’ job is to protect journalism, and that means producing high-quality journalistic works and not so censory.

19:17 - It means that they should, our job is to keep them safe enough, so that they don’t feel that they can’t cover a story because it’s too hot, it’s too sensitive.

19:26 - And this ties to the next thing, right? If they think that people are after them from hacking, that’s an issue.

19:34 - So we help protect against that as well. Political pressure, that’s basically way above my pay grade, but it’s definitely something that does stop or does concern some journalists at some times.

19:46 - Denying access is another way that journalists work is threatened, right? Either in the withholding or manipulation of press credentials or to deportation, PNG, persona non grata, someone out of a country, so they can’t come back is something that does happen and has happened in the two years that I’ve worked with The New York Times, two journalists.

20:13 - Ad pressure is a factor, boycotting The New York Times or another news organization through ad, through people that would advertise with The Times is definitely an influence that has effected organization, media organizations worldwide.

20:32 - Censorship. Right now there’s some government censoring The New York Times (laughs) somewhere in the world, either overtly or covertly.

20:43 - We at The Times try to provide news to everyone as much as possible all the time.

20:50 - We, for example, I was talking with a colleague today about our Onion, The New York Times’ version of the Onion Service.

20:57 - We do have an Onion Service online, and that’s specifically as part of our censorship busting operations.

21:07 - Reputational attacks. There are attacks against the practice of journalism, against the organization, and of course, against the reporter themselves trying to de-legitimize them.

21:18 - And that’s a more long-term kind of highbrow argument, but I think it’s also a definite concern of journalists.

21:28 - And then finally at the very end of the spectrum is litigation and lawfare where we like to think that very civil people use very civil words in a very civil environment to try to win civil arguments.

21:40 - It doesn’t always occur, but we’d like to think that that happens.

21:46 - So there are kind of three bins that are inherent, and one of them, the last one kind of doesn’t fall on the matrix because it kind of pervades all of them naturally.

21:56 - There’s the physical security stuff, which is an increasing concern year after year in journalism.

22:03 - Increasingly year after year is also the need for increased information in cybersecurity.

22:10 - As technology plays a bigger and bigger role in reporting, and our lives both as a day-to-day activity but also in the nature of how reporting is done.

22:19 - Understanding how technology works, how big data can be understood and analyzed is really key.

22:31 - Finally, there’s a psychosocial security concern here.

22:37 - It’s taken I don’t know how long has journalism existed for, right, for ages.

22:42 - It’s taken a long time for people to realize that the day-to-day stresses of being a journalist takes a serious and possibly negative toll on the practitioners.

22:53 - And so when we’re working with journalists and we’re talking about security practices, we’re really trying to, to train them for an ultra marathon, not a sprint.

23:05 - The best, most fun journalists to hang out with are the ones who have been around the block a lot.

23:12 - They have great stories, they’re really well seasoned, and they have some really good security practices based upon some hard-won lessons.

23:20 - So any media information security organization would definitely take a look at all of these things that are highlighted here in bold as something that they would pay attention to on a regular basis.

23:33 - So I mentioned harassment at the beginning.

23:34 - I kind of glossed over it, but let’s look at harassment, we’re gonna throw a bunch of numbers at you, but I think it’s, I want to get this point through.

23:43 - So Lucy at the CPJ helped put these numbers together for me because this is not something that I look at the numbers of every day, but in 2019 90% of respondents to one of their studies, two journalists experienced safety issues or threats in the USA, which is we like to consider one of the more safe countries to be a journalist.

24:09 - And then large numbers of journalists have been harassed in various ways.

24:17 - 63% of all journalists have been harassed online.

24:20 - I think we in the InfoSec community are familiar with the fact that people get harassed online, journalists get it all the time, and they get in very real ways.

24:31 - Following up that number very shortly, very shortly behind it, 58% have been harassed in-person.

24:38 - I have had my run-ins in life, but I haven’t been systematically harassed in-person, right? I can think of one or two incidents, right? But in this case, it happens to a lot of people who work in journalism.

24:52 - Finally, this bottom number 26% have been physically attacked, right? So one in four, a little bit more than one in four had been attacked in the course of doing their work.

25:07 - That’s a pretty big percentage for a job that isn’t really about getting in physical altercations, they’re not wrestlers here.

25:18 - And the other thing to think about is that this is, there is some disparity here, right? Women get this way more than, way worse than men.

25:28 - Two-thirds of women respondents say that they’ve been threatened or harassed online at least once according to the International Women’s Media Foundation.

25:36 - And one in 10 of their people that they’ve surveyed has said that they had experienced a death threat in the last year, not just harassment, but straight up death threat.

25:46 - And I see these threats and they’re real, they’re not, people aren’t joking (mumbles) So harassment is a real issue, that’s something we deal with on a regular basis.

26:00 - And it goes hand-in-hand with social media presence.

26:03 - Having a strong social media presence for a journalist is a huge career asset.

26:10 - If you look at big names at any media organization, they usually have big followings on social media, on Twitter or on Instagram or whatnot.

26:21 - Some of the organizations don’t realize this, but curating and maintaining your presence on social media is work.

26:26 - It’s one of the reasons I don’t do it is because I don’t wanna do the work, I don’t wanna have a big social media presence because I do other things.

26:33 - And with that presence will come harassment.

26:36 - Most platforms are woefully unprepared to provide any real support regarding online harassment, both to journalists and to just regular people.

26:46 - I think there’s plenty of evidence of that if you look through the MindSphere of the InfoSec community online.

26:56 - So one of the places that I always see a lot of people get kind of spur of the moment harassment is from hot takes or spur of the moment comments.

27:05 - So I always advise journalists to be thoughtful and considerate about everything they post online, and that they separate their personal and their private and the public persona, so they get some separation because they deserve it frankly.

27:24 - But, yeah, hot takes tend to get people in some trouble, but they should have the right to have hot takes. (laughs) People just need to start being nicer to each other.

27:37 - So really quickly people often ask me, where does the responsibility for security journalists lie? And it really lies with the journalists themselves.

27:49 - The buck stops with them because there’s a ton of competing interests.

27:53 - And my interests are not necessarily the same as the journalists, same as an editor.

28:00 - The editors’ isn’t the same as the journalists and the journalists’ isn’t the same as all those other things.

28:05 - Everybody has different needs and wants and desires here.

28:10 - So finally at the end of the day, it’s really the journalists’ decision.

28:17 - If they’re gonna cover a story and how they’re gonna cover that story.

28:20 - The job of the InfoSec team or any security team working with media is to prepare them with the best tools and knowledge available, and give them the freedom and respect to take care of themselves, and also to do the best they can in covering that story.

28:39 - That’s it. But it’s often the journalists’ job to make sure it goes down correctly.

28:48 - So let’s really quickly talk about training and advisement, that’s something that we spend a lot of time doing, a lot of time we do at The Times.

28:57 - Training is lessons, pre-prepared lessons where we really get people brought up to speed on proper techniques and tools.

29:08 - And advisement is when they come to us and say, hey, Jesse, I got this question and we think about it, and we give them the best advice we can about what they can do.

29:20 - This is often what will happen if you as a security professional end up working with any news organization or media person, they will ask for advice about something.

29:29 - So make your advice actionable. Journalists have a lot of competing interests, and their time is very valuable, and they basically have to deal with a ton of stuff.

29:45 - So making practices that are doable and not theoretical is really the best thing I can suggest, but they are curious and persistent folks, so expect them to ask you challenging questions about the practice or advisement that you give them.

30:11 - All right. So here are five basic practices for journalists.

30:18 - As a journalist you should be doing these, as a information security professional and hacker and journalists who are asking you for advice, this is the five pieces of advice maybe you should give them, it’s a great starting point.

30:30 - Use strong diverse passwords on all your accounts.

30:33 - Please, please, please. You’re gonna have a lot of accounts as a journalist.

30:38 - And so you’re gonna need to use strong diverse passwords.

30:40 - This will, of course, mean you need to use a password manager.

30:45 - Any password manager out there is probably better than no password manager, and a real online password manager that’s backed up that’s securely operated and securely run is really the best solution.

30:59 - Notebooks, things you remember, iterations of things you remember are really, really not, do not work.

31:08 - Use second factor authentication on everything you can, as much as you can.

31:15 - Skip over doing it with SMS though. Use authenticator apps and use hardware tokens.

31:21 - Use authenticator apps that backup to your password manager, so that if your phone is lost, stolen or confiscated, you can get back in the game real quick, and you don’t have to re-enroll everything.

31:37 - Use hardware tokens whenever possible. Have two and have the codes, of course.

31:47 - One of the key things to do is to take that second token and keep it in a safe place, and not carry two with you at all times, just have the one on you at all times.

31:58 - Use a VPN, use it on every untrusted network that you run across, that you’re operating a computer or a phone on.

32:04 - Any untrusted network is not your home network and not your work network, so pretty much all the weird networks you jump on, all the press pool networks, the Olympics are at a convention or something, especially this convention.

32:19 - Companies should have a VPN for, again, to its own assets.

32:23 - Journalists should collect third-party VPNs as they see fit.

32:29 - There’s a bunch of great ones out there, there’s plenty of market research about which ones are the best.

32:34 - Just choose one that’s a high-quality reputable VPN provider.

32:40 - Keep track of your assets, where you store your information, divide your public and private assets.

32:46 - Your work computer shouldn’t be your personal computer if at all possible.

32:50 - I know this sounds annoying, but it’s a really good thing to do for a number of reasons.

32:57 - If you’re a freelance, I know this is really tricky, but definitely think about keeping as much of your public and private life separate from a data compartmentalization or information compartmentalization standpoint.

33:13 - Update early, update often. I don’t know anyone who suffered greatly from updating to the latest version of some OS or patching their systems.

33:22 - I do know people who have suffered greatly from not doing that.

33:28 - Use secure messaging platforms, use Signal for as much messaging as you can.

33:34 - You can even use it to securely store your notes, you can just message yourself notes, right? Signal is a great tool, we really like it.

33:42 - The other secure messaging platforms out there have a lot of different interests that don’t always seem to align with their user interests.

33:53 - But you’re gonna have to go with the sources, so whenever possible try to shift to Signal, but if you have to use one of those other third-party messaging platforms, secure messaging platforms, do find the online guides that are out there about running those more securely, so that you can minimize your attack surface and your exposure.

34:19 - So it’s not just reporters who are part of the newsroom, there’s also editors out there.

34:25 - So here’s the five basic practice for editors.

34:28 - You really need to communicate known security risks to your journalists.

34:31 - If you know it’s a security risk, your journalists who is maybe been around for a long time, or maybe hasn’t may not know them for whatever reasons, let them know, tell them these are the things that I am concerned about for your safety or your information security safety regarding this story.

34:51 - When a journalist comes to you with security concerns, you need to listen to them and factor them into the reporting.

34:58 - You also need to connect that reporter with support systems, be them in-house or external to help them stay safe.

35:05 - It’s really very, very, very useful when an editor says, hey, I’ve got a team, they’re gonna cover the story.

35:11 - Can you talk to them? Have a regular and clear cadence of communication with your reporters when they are in the field.

35:19 - This is really key. Always start off the conversation with the same basic question set, PSI.

35:26 - What’s the position, right? Where are they in the story, physically in the world, and where are they in the story? What’s the situation? What’s the environment around them looking like? What’s the situation looking like? And what are they planning to do next? If you can have those three pieces of information handy, when something goes wrong, or you think something might be going wrong, then your security team will be able to find even better support.

35:50 - And finally, you have to do all the things in the previous slide.

35:52 - You need to be the example of how to do secure journalism securely.

35:58 - So the fun never ends, it never gets easier as you move up the old hierarchy in the newsroom tree.

36:05 - So that’s the basics for journalists and editors in the newsroom.

36:10 - Let’s talk a little bit about some of the stuff that we in the InfoSec team deal with on a regular basis, and more of what we do.

36:18 - So here’s the more of what we do. We help journalists and editors gather and secure source material all the time, we make sure that we don’t cross any legal red lines, we never instruct sources on how to get information.

36:36 - It’s not our job, we’re not doing that. We’re really looking for sources to, they had something they wanna give us, they collect it and they delivered to us.

36:45 - We operate a tips line and we operate our own SecureDrop servers from the Freedom of the Press Foundation, so people can get us that information.

36:57 - Also we will develop solutions, if needed. We are always concerned about the intent and operation of nation-state actors, both on how they are interacting with our journalists and what capabilities they have, and whether or not they’ve exercised those capabilities against us or other news organizations.

37:22 - As a telecommunications guy, I’m super into telecommunication security, so all the types of communications, both in how it can be used for surveillance, how it can be used for interception, so we’re constantly looking at that and trying to improve our own telecommunication’s security as best we can within the operating environment we are in.

37:49 - We operate a factory that makes newspapers, so we have all the industrial control systems you might imagine that exist in any factory out there, which is really great.

38:01 - It’s also really challenging because it’s a lot, it’s very different from a lot of the other stuff we’ve talked about today.

38:06 - I said it before, I’ll say it again, we have our own apps that we build, so having secure applications that are both externally facing, like the one in your phone from New York Times is the Crossword, but also internal apps that we use to build, run and operate the newspaper or the newsroom is really key as well.

38:29 - And so we look at the security of those things as another area of concern or focus.

38:36 - Of course, we’re concerned about our cloud architecture and infrastructure.

38:39 - We’ve moved out of data centers everywhere, we’re a very cloud-centric company now.

38:44 - I think any news organization storing data centers is possibly making a mistake.

38:50 - So having secure cloud architecture that is both redundant, available, but also absolutely secure and admirable is really, really key.

39:04 - And finally I’m gonna kind of lump into enterprise security here, but this is just a grey business of the grey lady, right? This is, we’re just like every other company out there.

39:13 - So we have legacy systems we need to keep in track of, we have kind of the not-so exciting information security things like your HR systems or your accounts payable systems, which are very exciting because they involve real people’s lives and getting paid, but that’s a huge area for us to also pay a great deal of attention too.

39:35 - And that’s really the nutshell of, you look at the newsroom very specifically, and then the rest of the company at large.

39:47 - So let’s look at some hard problems that we faced that we can’t really solve, these are not things that we’re like one of many who would desire these outcomes, but these are really kind of interesting hard problems.

40:00 - And if you’re looking for a challenge out there, please take a look at my list of hard problems and solve them for me, and just produce the golden goose because that would be awesome.

40:11 - One of the things we run into all the time on social media platforms is a lack of clarity and consistency in language and presentation security controls.

40:20 - Social media platforms really seem to like to change their security controls all the time, change how they’re referring to things, even at the most basic manner.

40:28 - So that when we say, hey, this is what you do to do this, and one of our people goes, I don’t see that button and we look at it and we go, it was there yesterday.

40:38 - If there was a system or a scheme where the policy you would like as an individual for your security controls and privacy controls could be read from a file as opposed to like clicked on a bunch of random like boxes on five different tabs, that would be great.

41:01 - So if you have any influence or control over this, that would be wonderful.

41:04 - I’d really like someone to produce the holy grail of telecommunications devices.

41:09 - I need something about this big, it does like multiple hundreds of megs of bandwidth reliably, runs on batteries, so that when we send journalists to natural disasters or conflict areas or just out into the hinterlands of the world, they have a way to return us high-quality rich journalism.

41:36 - We’re not just a print org, and more it’s not just some words we need to scream out, we’re not just dictating phone, dictating stories over teletypes now.

41:45 - We are trying to move up the scale of the kind of media we’re producing.

41:49 - So that would be great if you can do that. I’m not asking for much.

41:55 - As we all know, when you get a large gathering of people together, a festival or an event or a rally, we often see modern telecommunications, wireless telecommunications kind of grind to a halt or slow way down, and then what happens is journalists basically have to go to the event, cover it as best they can, and then get back to some sort of usually a landline, but sometimes just outside of that cell area to file their story and provide some context for it.

42:26 - So really what we’re looking for is something like wireless mesh network, something like Gotenna or Meshtastic that can send print ready photos or videos as well as long bits of text, that would be an amazing little tool to help us get that working.

42:45 - We’d love some tools that allow for a lightweight mobile opt-in mobile device management.

42:52 - So we work with freelancers, and their phones are their phones, they’re not our phones, we’re not gonna top down just like start putting our policy on their phone.

43:02 - So something that is, but we could come up with some like quick enrollment thing where we’re like under these circumstances, what do you want us to do? Da-da-da-da.

43:12 - So that if they get detained for whatever reason, we can, A, know that they’re detained because we can track them physically and we’re allowed to through their device, or we can lock their phone for them.

43:29 - In that same vein, remote journalist check-in tools, these generally don’t work at scale and we have a lot of journalists, so we do a lot of check-ins.

43:37 - So if there’s a tool out there that would allow basically a way for journalists to self-enroll for security check-in and then check-in and they would be able to report back, and if the check-in didn’t work or they hit the red button because the meeting is not going well, and they really do need some backup, that would be wonderful.

44:00 - Tor network speeds, I love it when a source comes to us and says, hey, I’ve got six gigs of data I wanna drop on you, and we’re like, yes, that’s wonderful.

44:09 - And then they say, over an OnionShare, and I’m like, eh, uh-huh, because I know downloading six gigs of data over the Tor network is really, really, really painful.

44:18 - So anything you can do to help speed up the Tor network speeds would be great.

44:23 - Operating proper relays and exit nodes is wonderful, supporting them financially, so they can hire more folks to work on the project towards currently working on increasing their network speeds.

44:33 - I’m really excited about that project at many different levels.

44:37 - Speaking of that six gigs of data we just got, it’d be really great if we had a really wonderful set of tools for source media sanitization.

44:47 - We are looking at tools right now, but it doesn’t seem like anyone makes a really great robust method for sanitizing masses of data at scale in a newsroom, especially with a lot of the controls and features we would like to see as a news organization and not a financial organization or an insurance organization.

45:10 - Finally, we have all this data right, better tools for searching and analyzing large mixed files sets.

45:16 - So you just get a lot of random stuff in folders sometimes, and you’re like, okay, so there’s folders of PDFs, interesting.

45:24 - You can’t just grep that, maybe it’s mixed set, right? Maybe it could be a lot of different data.

45:30 - So having a way to handle that would be wonderful.

45:34 - Finally, an external message handling tool for secure messaging platforms.

45:39 - When we start getting 10X messages in our tip line because of a campaign from a group that would really like to be heard, it makes it very difficult for us to weed through all of that information.

45:53 - So something that we could operate that would allow us to manage all those messages in a secure way and do some filtering and binning, so we can really go, okay, this is all from this, but here’s a unique tip and here’s a not unique tip would be great, especially for apps like WhatsApp, Signal, Telegram.

46:13 - Again, not an easy thing, but definitely worth doing, especially we want these tools to be tools for simple good.

46:24 - Those are the hard problems. Oh, and finally Bellingcat has their own list of OSINT projects that they’re working on, that are stalled GitHub stuffs.

46:34 - Definitely check out Bellingcat’s work and their need for building tools for open source investigators.

46:41 - So maybe you wanna get involved, maybe hopefully I’ve inspired you.

46:45 - Please think about attending the Internet Freedom Festival, there possibly will be some similar meetups like that in the states in the next couple of months, so definitely stay on the lookout for those.

46:57 - Attend the journalist convention if you feel like, that’s another great place to like kind of get a flavor for what’s going on.

47:04 - If you’re looking for work, check out the Digital Rights Job Board, a lot of posts are put up there.

47:08 - I post all The New York Times jobs to that board as they come up and there are openings right now at The Times in the security group.

47:17 - We have major, I mean we’re not the only, we’re not the…

47:20 - There are other newspapers out there, there are other news orgs, surprise.

47:25 - So definitely check out The Wall Street Journal, Bloomberg, The Washington Post, CNN, BBC, Reuters, AP, Gannett.

47:33 - And also if you don’t wanna switch your job, but you just wanna try and help your local newspaper, it’s a really good idea.

47:42 - Local news is really, really, really important, and it’s really, really, really on the ropes right now.

47:48 - So definitely think about checking in at your local newspaper, even if it’s an alt weekly and ask if they want any help because they might, they probably do need the help.

47:59 - And even if it’s just advisement, it could lead to something you could not, but it could definitely help.

48:06 - If you are a researcher, if you’re like working NGOs, you like doing advocacy, definitely check out some of the NGOs working in this space.

48:15 - There’s the committee to protect journalists who help me get some of my stats.

48:19 - There’s Reporters Sans Frontieres, they’re a wonderful organization.

48:22 - The International Federation of Journalists is out there working on behalf of journalists internationally.

48:29 - The International Women’s Media Foundation is another great place to look in that.

48:33 - The Freedom of the Press Foundation, a lot of folks I bet you in this very room are from that organization.

48:43 - So please think about working for one of them or working with them.

48:46 - And there’s a bunch more, I didn’t even name also working on these same issues.

48:52 - So hopefully you’ve found this talk enlightening.

48:55 - If you have any questions, feel free to ask me, you can hit me up on Twitter, my DMs are open.

49:02 - And I’m not a great Twitter person by the way, but I will look up an eye out for you.

49:08 - So feel free to ask me any questions you like.

49:10 - Thank you so much, and have a good day. .