Encrypting A/V: How you can secure your equipment and encrypt your footage

From IFF Wiki
Jump to: navigation, search
Encrypting A/V: How you can secure your equipment and encrypt your footage
Presenter(s) Harlo Holmes, Olivia Martin, Jen Helsby
Organization(s) Freedom of the Press Foundation
Country(ies) United States
Social media
2017 theme Journalism & Media

Media makers interact with AV equipment on a daily basis — audio recorders for interviewing, cameras for photography and filmmaking, and mobile phones to capture footage on-the-fly. There are many challenges to keeping raw data secure: lack of encryption, opaque industry standards, and dependence on third-parties with private interests. In this session, we will develop an understanding of the risks we face using A/V devices in the field, and workshop security strategies and tools we can leverage to mitigate these risks.

Format Workshop
Target Groups Journalists, Software Developers, Designers, Usability
Length 3 Hours
Skill Level Intermediate
Language English

Notes: Encrypting Hollywood

Securing photo, audio, and video production

Context & Introduction

Filmmakers Embed Project

  • Founded by the Ford Foundation & Sundance Documentary Filmmakers Association
  • Documentary, indie, cinema, VR, podcasting — cuts across modern film-making
  • Project to support computer security education for filmmakers
  • Variety of documentary filmmakers, mostly based in US, working on political issues (surveillance, activist movements, indymedia)

Filmmakers are…

  • Awesome, innovative, but very busy
  • Fond of out-of-the-box solutions — nobody changes default settings
  • Expect things to “just work”
  • Not computer security experts

Threat modelling 101

  • What do i have that needs protection
  • Who is most likely to try to get at it
  • What resources do they have to work against me
  • What would happen if they succeeded
  • What do i have the power to do to protect myself

Filmmaker avatars (user personas)

Community filmmaker

  • Works locally, within a particular community
  • Not a paid professional — limited resources
  • Pursues independent projects
  • Uses equipment incrementally collected over the years
  • Not concerned about highly-sophisticated adversaries
  • May be the de-facto archivist of the activist community they work with
  • Concerned about protection of their intellectual property — don’t want anyone to see their footage until their final product is ready to be seen

DIY Cryptoparties are effective

  • Credential management
  • Securing accounts
  • making/using good passphrases
  • Basic browsing safety (cookies…)
  • &c…

Camera Encryption Project

  • An FPF project calling on camera equipment manufacturers to implement cryptography in high-quality digital recording equipment
  • Camera-makers were not particularly engaged — little market incentive
  • Great way to get awareness out about the issues, and talk about the possible solutions
  • Zifra (zifra.tech) are working on tech to encrypt footage on the fly (based on Sha-3)
  • Canon Hackers Developer Kit — hobbyist project for making software modifications of Canon cameras, including some experimental crypto tools
  • There are no existing tools which allow on-the-fly encryption as you shoot/record — this workshop will focus on shooting unencrypted then safely protecting footage after the shoot
  • This is about helping teams control the integrity of their footage

Adapters! Adapters! Adapters!

  • Get to know B+H — the major US provider of AV equipment
  • Use SD or MicroSD card as the fundamental unit of storage
  • People are fans of specific camera brands with proprietary storage units
  • Find an adapter to allow that camera to use (micro)SD cards
  • It’s impractical to ask filmmakers to adopt new devices
  • Instead: retrofit their existing tools

What’s your data-retention policy?

  • If using a storage service, learn that service’s data-retention and privacy policy

Schemes from the audience

  • Processes that work chromebook-only
  • An out-of-the-box device which a filmmaker can put an SD-card into which will copy, wipe, and save ( this, but with more crypto. Maybe this?)
    • Add wifi, bluetooth, web portal, mobile app…
  • Encryption can be scary at checkpoints and borders — want to be able to to hide some encrypted footage on the SD card
  • Could we make an encrypting SD-card adapter? Yes, that’s what Zifra is trying to make.

The Scout

  • Extremely mobile, working from numerous locations
  • Making contacts, friends, securing locations…
  • Dependent on communications tools and mobile apps
  • Take a lot of photos, but mostly on mobile devices

Scoping Locations on Mobile

  • iCloud automatically slurps up your camera roll into the ☁ so want to avoid the camera roll
  • Peerio is a good way to shoot, save, and send photos
    • Also useful for keeping important private documents, contacts…
    • Also useful for sharing encryption keys

Keeping it Under Wraps (#BeyondOpsec)

  • Use Signal, use WhatsApp, whatever: everyone in the room has a handle on this

The Source Interview Guru

  • Interweaves phone interviews with visuals
  • Relies on mobile-based encryption
  • Works with anonymous/pseudonymous interviewees
  • Basically in the business of wiretapping themselves
  • Don’t want to entrust those recordings to third parties

The Analog Hole: or how I stopped worrying and learned not to wiretap myself

  • So you’re using Signal to make a safe end-to-end encrypted phonecall and you want to wiretap it…
  • You may not want to install some sketch-ass self-wiretapping tool which sends recordings who-knows-where
  • You definitely don’t want recordings uploaded to some unknown service and nobody wants a third party in their private chats
  • Also, wiretap apps have pretty inconsistent quality and that’s 🗑
  • So you plug a multi-channel audio recorder into the headphone jack
    • Consider Tascam DR-4 or DR-20
  • Same principles apply for video recording (ex: of Jitsi Meet) but it gets more complicated pretty quickly

Ideas from the Audience

  • Built-in voice recording with Signal

The Editor

  • Works from the office — often a coworking space
  • Tasked with locking up at the end of the day (some physical security awareness)
  • Often rely on the specific editing software they’re familiar with

Thwarting the evil maid

  • Encrypt the hard drive
  • Back up early and often
    • Backups should always be encrypted
    • Use an external hard drive that you take with you
  • Turn off the device when you leave (not suspend)
    • Editing programs are often good at restoring state after a reboot

Clean up after yourself

  • Be aware of autosave in Adobe Creative Cloud
  • Understand how your software uses scratch disks and temporary files

Audience questions

  • How can you stay safe when using pirated software?
    • Make a case to donors about software licenses being a security issue
  • Participant: working with an NGO which had an IT department which deliberately chose not to install software updates on their machines 🔥🗑🔥🗑🔥🗑🔥🗑🔥

The Field Innovator

  • Backed by an organization, well-funded
  • Works abroad and travels frequently
  • Uses new, networked equipment
  • Draws the attention of state actors

Logging + Capturing

  • Working with a home team and an away team — need to sync footage from the away team back to the studio
  • 😭 Dropbox rules everything around me 😭
    • Dropbox has pretty garbage security TBH they can’t even get “delete” right
    • Probably not blocked by malicious national censorship systems
    • Dropbox reads, indexes, hashes, and watches all your content
    • Dropbox keeps the history of all your files for a very long time
    • Very hard to keep anything ever uploaded to Dropbox from prying eyes
  • Instead of Dropbox, consider services that offer end-to-end zero knowledge encryption: especially services offered by a reputable company (rather than self-hosted)
    • SpiderOak One
    • Tresorit
  • It still is possible to encrypt things to yourself before you upload things to yourself
    • Mac Disk Utility can create encrypted containers which can safely be uploaded (ex: to Dropbox or Google Drive)
    • Or do it on Tails!
  • Once you copy your footage, wipe it using a multi-pass overwrite

Network Security (#DRONEZ)

  • Go-Pros
    • Portable, compact, high-quality cameras
    • Remotely-controllable over WiFi
      • Plz to change WiFi password on ur GoPro
      • Changing WiFi settings on GoPro requires registering on the GoPro site
      • The GoPro API is scary and unencrypted and includes a remote wipe command
      • FPF have a little script to make a settings file letting you reconfigure your GoPro and change the password

Border Crossings

  • Borders are terrifying hellscapes bereft of decency
  • Don’t lie to border guards
  • Memorize your lawyer’s name and number so that you don’t need a device to access it
  • Make sure that you don’t have access to the most-sensitive information that you never want to be able to hand over to a border guard
  • Border crossings are super complicated and there’s no one-size-fits-all
  • Don’t rely on “clever” solutions because you will get rocked

The Festival Darling

  • You’ve made a film and it’s awesome
  • Work has gained notoriety in the industry
  • Required to travel with sensitive footage
    • The stuff you’ve left on the cutting-room floor may come back to haunt you
  • Faced with contracts and other legal documents
    • Beware the “final cut” provision in contracts

Take it to Antarctica

  • Your archival footage is your biggest liability
  • You should have a data retention policy
  • Your footage may be subject to a subpoena
  • Put it in cold storage — “take it to Antarctica”
    • Encrypt your leftover footage on an external hard drive with a good passphrase

Digital Tontine (#CallMyLawyer)

  • A tontine is a scheme where a lock can only be opened with multiple people who have separate keys — on computers, we use Shamir Secret Sharing
  • Consider giving one of the shares to a lawyer using a process called legal escrow
  • FPF is working on a piece of software called “Sunder” to implement this sort of secret sharing — coming out soon

Shopping Trailers to Distributors

  • Use a good passphrase to protect a cut of the trailer before you send it to a distributor
  • set a calendar reminder to change the passphrase (for an online site) later