Comment by naravara

8 hours ago

I hope Washington Post does a better job of training their reporters than my friend’s former employer did.

They sent her off to a certain country with highly repressive speech laws and secret police to interview and survey various civil rights activist groups. They gave her little to no guidance about how to protect herself aside from “Use a VPN to send any documents to us.” They didn’t even instruct her to use an encrypted email provider or to use a VPN for any online work that didn’t get sent to the employer.

It’s very fortunate she knew me and I could at least give her some basic guidance to use an encrypted email service, avoid doing any work on anything sensitive that syncs to a cloud server, make sure she has FileVault enabled, get her using a password manager, verify that her VPN provider is trustworthy, etc.

7 comments

naravara

gruez 8 hours ago

>They sent her off to a certain country with highly repressive speech laws and secret police to interview and survey various civil rights activist groups. They gave her little to no guidance about how to protect herself aside from “Use a VPN to send any documents to us.” They didn’t even instruct her to use an encrypted email provider or to use a VPN for any online work that didn’t get sent to the employer.

How would those advice have helped?

>an encrypted email provider

Unless this was in the early 2010s the email provider was probably using TLS, which means to the domestic security service at least, is as safe as a "encrypted email provider" (protonmail?)

>FileVault enabled

That might work in a country with due process, but in a place with secret police they can just torture you until you give up the keys.

>password manager

Does the chance of credential stuffing attacks increase when you're in a repressive state?

None of the advice is bad, but they're also not really specific to traveling to a repressive country. Phishing training is also good, but I won't lambast a company for not doing phishing training prior to sending a employee to a repressive country.

naravara 7 hours ago

> Unless this was in the early 2010s the email provider was probably using TLS
It was the mid 2010s yes.
And they’re not going to abduct and torture and American citizen out of the blue. The more “intensive” methods are higher cost, the intention is just to increase the friction involved with engaging in the routine and scalable, ordinary forms of snooping.

tuna74 6 hours ago

Shouldn't this be basic knowledge for journalist?

naravara 6 hours ago
Why would it be if nobody trains them on it?
- bink 5 hours ago
  
  There are several groups out there that train journalists (and others) about digital security.
  https://freedom.press/digisec/
  https://tcij.org/initiative/journalist-security-training/
  https://ssd.eff.org/playlist/journalist-move
  
  1 reply →
- tuna74 3 hours ago
  
  People train to become journalists, wouldn't these practices be part of the curriculum?