Disclaimer
I won’t speak about everything we’ve discussed, for people lives are at stakes. Also, as usual when things are done with orgs, I mostly spoke with people, not the entire organisation. And, since they’re not robots, their view does not reflect the view of everyone behind the AFP name.
I had a lunch meeting
Yeah, again. But this time with different kind of people. After the discussion via different media I had with AFP (my views and part of theirs are here), we came to the conclusion that we need to talk with a cold head.
So, they invited me for a lunch. It’s perfect if you want to keep it short in fact, and usually people are more available.
So, there was three of them: one field journalist who works in Middle East, the head editor in social media and one of their IT guy, specialized in security. All of them are nice and interesting people and they do understand the issue with Skype.
AFP is an old lady
AFP is an old lady, crippled with habits and prejudices. And things will move, but they won’t move fast. I know there are people who thinks it will be to slow, but I’d rather have them starting a real reflection about protecting their sources, even if it takes years, than moving without thinking it through.
Also, a lot of people there are not understanding the problematics around new media and internet. AFP have offices in a lot of places with issues about freedom of communication (China, Lebanon, etc.) and they had done it for years (they worked in USSR for instance) and so, they’re quite aware of the problematics about protecting their sources.
It’s an old lady, and like every old lady, they’re experimented and, sometimes, a bit arrogant toward the youngest. But who doesn’t?
AFP is an information system
Like every corporation. But when you manage information system, you must be aware that you can only manage the information inside your system. I cannot manage information coming from your blog, I can do it only from mine.
Same goes for AFP, they can do whatever they want to protect information, once it has reached one of their entry point (which is basically reporters and journalists on the field). They cannot do a lot of things about information coming from the outside.
So, for the part that’s inside AFP, they do use VPN, and they’ve blacklisted Skype from their networks. They have strong security and encryption measure to protect the data received by a journalist, once it has been gathered.
The issue with gathering information
The problem is when they need to get in touch with people. Or, in fact, when people want to get in touch with them. According to their experience, it started in Libya. Rebels there wanted to have their voice heard so they began Skyping everyone (from Reuters to AFP, going through each international media they were able to reach).
The opponents were using Skype on their own because it is convenient. It’s installed every where and it works without question (which is, for me, a sufficient reason to not use it) and the AFP’s arguments is that, if they want information, they have to accept Skype’s call.
What can be done
First, they have, I think, a good approach of security, trying to have a process around that, to define simple good practices and tips that can be used easily.
Second, I told them that they should run their own free services for people outside the AFP to reach them. Like deploying SIP or ZRTP servers, etc. And to define them as the default entry point for external people (on the contact page for instance).
Third, they need to find a way to open a secure channel over insecure ones. It’s not that easy, and it needs cooperations from the people on the field. Basically, if an opponent reach them and can have a short contact to give all the information they want to transmit, it’s OK. A 30s phone call will take several minutes or hours to be detected and analysed. If not, they should use it to define a different way of communication. Whatever it is.
The thing is, it’ll be viral. If opponents get on the habits of using unusual channel to communicate, they will do it with all their contacts. It will spread and then, other agencies will do the same thing, slightly enforcing those habits.
Fourth, we will stay in touch for other events like #Jhack, for them to share their experiences and for hackers to try to learn them fun way to protect themselves and sources.
Fifth, they shoudl avoid using trademark as protocol name. They contact people by VOIP, not Skype. It is an information that have nothing to do with journalism.
Conclusion
We, has hackers, must keep an eye on those old organisations. And, instead of slapping them hard, we should try to show them a different way they could explore by themselves.
I won’t work with AFP, for I have no time for that, and they have competent security people. But I will stay in touch with those people I met, sharing experiences and working around issue we can meet.