Hello again!
It’s Martin, principal researcher at Freedom of the Press Foundation (FPF), with our regular update on the U.S. Journalism School Digital Security Curriculum.
J-school security curriculum highlights
- We’ve added new slides to our Malware module to help instructors get started sharing the good word about Dangerzone, a piece of software created by previous board member, Micah Lee, and now maintained by Freedom of the Press Foundation (FPF). Dangerzone helps sanitize potentially malicious PDFs and photos so you can open them safely. Take a look at the updated module.
Highlights from digital security in the news
- Hey, what great timing! Wired published a guide to protecting yourself from U.S. government surveillance, featuring security experts Runa Sandvik and our own Harlo Holmes. It covers a wide range of topics concerning secure communications with tools like Signal, hardening your devices with encryption, and more. https://www.wired.com/story/the-wired-guide-to-protecting-yourself-from-government-surveillance/
- Apparently, some police have been unpleasantly surprised to learn that iPhones in custody for forensic searches have suddenly become much more of a pain to analyze. That’s because in iOS 18, there is a new feature that makes devices reboot after three days of being locked. It’s substantially harder — in some cases, outright impractical — for police forensic search tools to read a device that has rebooted. Normally, when someone unlocks a device with their passcode, the phone is in “After First Unlock” mode, which allows data to be pulled off the device more easily. So this automatic reboot is likely making some cops very unhappy. https://techcrunch.com/2024/11/14/new-apple-security-feature-reboots-iphones-after-3-days-researchers-confirm/ (Suggested modules: Device protection, Law enforcement surveillance tech)
- The FBI filed public notice of an uptick in fraudulent “emergency data requests” made to private U.S-based tech companies for private content, such as a user’s files or communications. Emergency data requests are different from typical legal requests, in that they do not require a warrant and therefore bypass standard court procedure for access to the content of a person’s account. According to reporting from TechCrunch, “The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police accounts to send emails to companies requesting user data.” https://techcrunch.com/2024/11/08/fbi-says-hackers-are-sending-fraudulent-police-data-requests-to-tech-giants-to-steal-peoples-private-information/ (Suggested modules: Social engineering, Legal requests in the U.S.)
- While WhatsApp can’t read your end-to-end encrypted messages, it does collect a fair bit of metadata about people in conversation that is viewable to parent company Meta. A small bit of good news: The app just rolled out a new update that rearchitects how contact lists work. In this new scheme, not even Meta can read your contact list. We’ll take it. https://www.bleepingcomputer.com/news/security/whatsapp-now-encrypts-contact-databases-for-privacy-preserving-synching/ (Suggested module: Chat safety)
What we’re watching:
- I’m catching up on the conversations that recently took place at “Source!” the London Logan Symposium. This event, organized by FPF in collaboration with The Centre for Investigative Journalism, had some fantastic discussions about the evolving worlds of surveillance, source protection, and new ways of delivering the news against the backdrop of quickly changing economic and political conditions within and beyond the industry. If you missed it, you can check out recordings of the livestreams on YouTube.
As always, let me and our team know how you’re using the curriculum, what’s useful, and how it can be improved! Feel free to respond to this email or [email protected].
Thanks so much,
Martin
--
Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation
