Here’s how ProPublica reporter Julia Angwin upped her defenses against hackers and spies.
Photo taken by Flickr user Jesper Rønn-Jensen.
By Julia Angwin
By arrangement with ProPublica
Some people make dieting resolutions in the New Year. I make security and privacy resolutions, because those are the things that keep me up at night. After all, as a journalist, it’s important for me to give my sources assurances that I will keep their communications confidential. And in today’s world, that is an ever-more-difficult task.
Everyone—journalists or not—faces an increasing array of attacks on our security and privacy. Even if you’re not the US’s intelligence chief, whose email was recently hacked, it’s smart to up your game. So this year, I thought I’d share my resolutions.
1. Software updates
It’s not sexy, but at the top of my list is updating my software to the latest versions. Nothing else matters-not fancy encryption or strong passwords-if you’re using software that contains gaping holes that any criminal or spy can penetrate.
If you don’t update your software, you are wearing a “hack me” sign on your forehead.
And I hate to break it to you, but all your software is as holey as Swiss cheese. The software updates you receive are just patches for the holes that have been discovered so far. More holes will be discovered later. What’s more, updates are basically red alerts to hackers, pointing them to the holes.
So I’ve just updated my phone and computer operating systems, as well as all my Web browsers, software and phone apps.
2. Ditching old, buggy software
Next up is ditching old, unused or poorly maintained software. Using software is a commitment. If you don’t update it, you are wearing a “hack me” sign on your forehead. So if there are programs or apps that you don’t use, delete them.
This year, I decided to ditch my instant messaging client Adium. I was using it to enable encrypted chats. But like many cash-strapped open source projects, it is rarely updated and has been linked to many security vulnerabilities.
Instead, I switched to Tor Messenger, an encrypted messaging program that is run by the Tor Project, a nonprofit that makes the anonymous Web browser that I already use. By the sad standards of underfunded open source security tools, Tor is relatively well-financed and so I have some hope that its tools will continue to be updated.
Tor Messenger links up with my existing Gmail and Jabber chat accounts, and is encrypted and anonymous by default.
If your passwords are long and unique, you don’t need to change them every few months, as most companies incorrectly force employees to do.
For even more privacy, I also signed up for Ricochet, an encrypted chat program that runs on the so-called Dark Web. One downside: You can only chat with other Ricochet users. So far, I have all of two buddies on it. [INSERT SAD EMOJI HERE!]
3. Upgrading my passwords
Passwords are, of course, the definition of unsexy. But you gotta have ‘em, and they should be long and unique (no re-using between websites). I use a password manager, 1Password, to generate most of my passwords.
But for my most important accounts, such as email and my bank, I use a method called Diceware to generate passwords that are about 30 characters long and made up of dictionary words that I can remember. (Thank you Chase for allowing 30-character long passwords—not all banks do, strangely.)
If your passwords are long and unique, you don’t need to change them every few months, as most companies incorrectly force employees to do. But I’d been using the same Diceware passwords for a few years now—and I figured it was time to create new ones.
4. Upgrading my encryption key
After getting all the basics out of the way, I finally got to the fun stuff: Secret coded messages! Who doesn’t love encryption? Modern crypto scrambles your communications so well that FBI Director James Comey has spent the past year complaining that it’s too hard to crack.
My new key seemed all pristine and shiny. And my old key-which I am now revoking-was like an old sweater that I was tossing.
I’ve long been haunted by the fact that when I set up GPG four years ago, I didn’t create my encryption key in the most secure way. This year, I decided to finally fix it. To set up my keys correctly, I had to find a computer that never touches the Internet and follow the instructions in this helpful guide: “Creating the Perfect GPG Key Pair.”
My new key seemed all pristine and shiny. And my old key-which I am now revoking-was like an old sweater that I was tossing. It had served me well, but it was time to go.
In fact, closet cleaning is probably the best analogy for my New Year’s security project. At the end, I felt cleaner and lighter—the same way I do when I toss out old clothes. And perhaps that feeling was its greatest benefit. I may not be able to foil all the hackers and spies across the Internet. But I can sleep better at night knowing I have tried my best.
Julia Angwin is a senior reporter at ProPublica. From 2000 to 2013, she was a reporter at The Wall Street Journal, where she led a privacy investigative team that was a finalist for a Pulitzer Prize in Explanatory Reporting in 2011 and won a Gerald Loeb Award in 2010.