Really?! How do I have to spell this out. All your data is. Being. grabbed. These risks are not outlandish. They are not tinfoil.
An individual that claims to be a security journalist and doesn’t know that is neither.
You are mistaken.
This is incredibly lazy.
We know it isn’t miniscule. How many public examples do you need? Do you need private examples? Again, my two assertions are 1) Mr Brown isn’t a (competatnt) journalist, and 2) his disclosures and linked material were not okay or ethical.
He shouldn’t be jailed. Don’t link, even privately to stolen Intel.
Not exactly a viable rule. I, for one, will take a dozen of journalists (and “journalists”) with poor OPSEC over none with good.
I expect that I probably am, at times, about some things. But reminding me of this without any indication of how or why you think so doesn’t say very much.
A functioning justice system. Currently the US justice system isn’t really functioning all that well. In fact, the justice system should be charged with obstruction of justice.
2 Likes
Let’s say he drew attraction to himself where, yes, he’d be an attractive target as a journalist, but what he did for which he was sentenced had nothing to do with journalism.
The real lesson for journalists isn’t to cut back but to stick to actual reporting. No vandalism, no abetting theft (I don’t mean of the disclosing secrets stuff), no threats.
And if a reporter can’t discern what Brown did to support the sentence, well, then, they’re not that much of a reporter, and their retitence to do their job isn’t really much a loss to those of us who want to be informed.
OK, then, please articulate the risks potentiating from the sharing of an already public link on an ostensibly private channel.
2 Likes
I don’t mind. One or two. I’d be happy if you could get to specifics, so I can see how it is you’re reasoning this one through.
Shared Intel doesn’t need to be hermetically sealed, but basic opsec is basic. ISP s, nations, BGP peering nodes, etc are all inspecting your traffic. So that means when you share data that has my SSN in it there are many copies made. And even if you have good intentions, someone else will invariably fuck up.
Wash your hands, don’t share needles, and encrypt your stolen data from military industrial sources.
Actually the question to ponder is “what is your point?”.
You wouldn’t know it by reading the article, which tortuously avoids even a casual mention of the President, but this journalistic witchhunt is currently being overseen and authorized by the Obama administration, and not some 1%-funded, GOP masterplan. It’s just the latest in his administration’s record-setting prosecution of journalists, whistleblowers, drug users, illegals, etc. etc.
This IS the “Change Candidate”. But you know, we can expect all the wailing and hand-wringing by the people who’re standing idly by the minute the office changes party affiliations. Then when the shoe’s on the other foot, expect lots of “Rethuglican Administration Declares War on the First Amendment!!1!!”
Gah, no! That is reinforcing the idea that sloppiness with data that really, really matters–when it is trivial to have average opsec–is okay. This is basic hygiene. This is putting on pants in the morning basic (yeah, eff pants :D).
If you dont believe in vaccines you are not a doctor. If you don’t believe in opsec you are not a security journalist.
Ruminating on the dire state of 21st century computer security, and the pervasive surveillance state, is preaching to the choir.
I understand all that.
I don’t see how any of this raises the possibility of articulable harm eventuating from the act of sharing an already public link to an already public set of documents in a non-public forum. You’re not doing a very good job of articulating the particular kinds of harm you see eventuating from doing so.
Data is being intercepted by private and public companies at every step. If you don’t care about privacy this might not bother you, but I care about your privacy and mine.
" already public link to an already public set"
This isn’t criminal, but sharing data of this type in this manner shows complete ignorance to how it will be intercepted. As a security journalist this is unethical.
“non-public forum”
If it isn’t encrypted with keys shared over another channel, it is public.
This is the “if you have nothing to hide” defense. So seriously, just No. I apologize for being kind of a jerk, and perhaps a gentler tone would produce more converts, but this attitude must change quickly.
This is where you are so badly mistaken. you might not have an adversary that you know about, but the moment you data becomes easy to harvest you will. It really is just a low hanging fruit problem. And no matter how diligent you are about protecting your data, if the chain of custody is sloppy then things happen.
Look, I have been very clear about my stance on the legality of sharing a link. But I find it disheartening that ignorance of chain if custody is so wide spread. It only takes an accident or mistake to make a persons life hell.
1 Like
Sure, you have been quite vocal about best practices of what to do. But coming from outside journalism myself is why I asked you about the background of this, the “how” and “why” that you are working from. I searched “PII ethics” and I get statements of policy, but no discussions of the ethics behind it, which I am told are so important. Yes, this means I am ignorant No, I am not a security journalist. But when I am told that this affects everybody, I try to understand how.
Thanks for going into more detail.
1 Like
Handling Intel, especially Intel that well connected companies don’t want you to have, is a sincere responsibility. As a handler you can’t predict the outcome of sending data (or links) across decentralized networks. Does it have medical info? Will it leak an informants name? Will financial details be siphoned by unscrupulous network admins?
All of these happen every day. And it is difficult to predict which one will happen. But if you have access to valuable data (like Stratfor) you have to assume people are looking for it. Heh, ironically this is what happened 
Failing to keep your data safe does harm–often completely unintentional and unexpected–but as a security professional you are required to know this.
(I appreciate the conversation, even when we bump heads )
1 Like
It’s not the “nothing to hide” defense.
“Nothing to hide” is a denial mechanism used to avoid the conclusion that it is a bad thing that the private communications of entire human communities are being devoured by the deep state. People say they have “nothing to hide” when they assume that they are not doing anything culpable to law enforcement measures, not in order to excuse themselves from meeting standards of due diligence while handling sensitive information.
Surveillance is a very bad thing, and those people are wrong and “nothing to hide” is a facile, deeply authoritarian response to the unsettling facts of 21st century communications. It is the capitulation of frightened apes before an awesome and incomprehensible power. It leads us down the road to fascism and worse.
Everyone should regard personal and communal privacy as social goods, and inherently worthy of preservation, and crypto should be employed pervasively. etc.
Nevertheless, we are not dealing with the “nothing to hide” argument. You were contending that Barrett Brown is “not a real journalist” because he mishandled sensitive information. This contention raises different standards to the “nothing to hide” argument. It supposes that there are at least two kinds of information: sensitive information and nonsensitive information, the one of which is of a different category to the other, and to which different standards of care apply. Nonsensitive information, according to this rubric, can be shared openly and in the clear, whereas sensitive information must be shared only when adequate precautions have been taken.
You appear now to accept that - because the information in question (a link!) had already been made public - it was no longer really sensitive information. No articulable and probable harm can rationally be seen to potentiate from the sharing of the link without crypto in an irc chatroom which was not open to the public. I deduce that you accept this, because otherwise you would not have accused me of using the “nothing to hide” argument. We agree that Brown had “nothing to hide”, you just think he should have encrypted his communications anyway, and you invoke the abstract notion that everyone should treat privacy as a good in itself, and not as a means to an end, in your defense.
You are therefore apparently now taking refuge in the position that Barrett Brown is not a real journalist because he failed to handle unsensitive information according to the standards appropriate to sensitive information. The prescription underlying this appears to be that, because surveillance is ubiquitous, even if there is no articulable risk of harm from a given particular instance of cleartext communication, people should employ encryption anyway, on principle.
In essence, you have now collapsed the distinction between sensitive and nonsensitive information. All information is sensitive information now, according to you, and activates the higher standard of care.
I put it to you that, if this is your position, your argument no longer really relies on the facts of this particular case. By the very fact that Barrett Brown ever, in any instance, communicated any sort of information at all, on an unencrypted channel, he is to be found to have acted unethically, and negligently, and must therefore be denied the status of “journalist”. This multiplies the instances of alleged infringements quite considerably. You do not need to wed your argument to this specific instance of his having shared the link in ProjectPM. Indeed, doing so is on its face problematic, because it would be excusatory of the now high number of likely infractions on the ethics of “journalism” of which we have now supposed Barrett Brown might be guilty.
I secondly propose to you that, while it is a reasonably noble aspirational belief that everyone should use encryption - one I’m happy to agree with in principle - we are now at the juncture where your argument unspools into absurdity, because this is not a practical standard upon which to decide whether someone is or is not a real journalist. Even journalists that scrupulously and religiously employ operational security when they handle sensitive information are now no longer journalists by your standards, so long as they communicate, ever, at any point, in the clear. You have defined journalism out of existence.
Of course, it’s fine for you to have this highly idiosyncratic standard for membership of the set of journalists, but you might want to consider why it is that you are singling out Barrett Brown in particular for opprobrium, given he shares his alleged ethical failure with at least the majority of people who have ever called themselves “journalist”. The guy is in prison, has been in prison since 2012, and hardly needs disproportionate, laser-like moral sanction from you as he contemplates another two or three years behind bars for doing piddlingly minor, probably-not-criminal stuff in a world where torturers and war criminals get appointed as human rights advocates and peace envoys. There are probably better ways for us to address our discovery of the alarmingly total absence of real journalists in the world than singling Barrett Brown out the week after a judge sent him down for 60 months on concocted charges, after the world’s most powerful security bureaucracy broke down his door, terrorized his family and engaged in byzantine prosecutorial misconduct designed to put him away for life.
Or maybe I’m wrong. Maybe, since the FBI and the Department of Justice seems to going out of its way to make “an example” out of him, we shouldn’t pass up the opportunity to congratulate ourselves on knowing best and to make sure everyone knows it, even though he’s clearly being scapegoated mercilessly for embarrassing powerful people, and not even the government alleges that anyone was materially harmed in even the slightest way by a single thing he’s accused of, whether in court or out of it.
But I am unconvinced. In other words, I am questioning the priorities that would drive you to hold a victim of the unique machinery of institutionalised persecution known as the “American criminal justice system” to such absurdly high and pedantic standards when there are genuinely bad people to have a problem with.
1 Like
I apologize, but I am not going to be able to answer every point. So take this as ‘best effort’.
"You appear now to accept that - because the information in question (a link!) had already been made public - it was no longer really sensitive information. "
No, I do not. It is still sensitive information.
“but you might want to consider why it is that you are singling out Barrett Brown in particular for opprobrium,”
Because this post was lauding him as an oppressed journalist. I agree with oppressed, not journalist.
“to make “an example” out of him, we shouldn’t pass up the opportunity to congratulate ourselves on knowing best”
The sentencing is insane. He should not serve a day in jail. Sentencing him is akin to sentencing a movie critic for not knowing Citizen Kane. But in both circumstances Yes, it means you aren’t what you say.
“a victim of the unique machinery of institutionalised persecution known as the “American criminal justice system” to such absurdly high and pedantic standards when there are genuinely bad people to have a problem with.”
And there it is. I haven’t done that, and this is a straw man. Barret Brown is oppressed, but he is not an oppressed journalist. And even though he is oppressed there is no reason to celebrate him.
