1 of 16

Source Protection and JSAT

Global Investigative Journalism Conference 2023

2 of 16

Rubric #1: Threat Modeling

https://freedom.press

3 of 16

Assessing your risk aka “Threat Modeling”

Assets: What do I have to protect?

Adversary: From whom?

Resources: What resources does my adversary have?

Likelihood: What is the likelihood my adversary will target me?

Your resources: How far will I go to protect my assets?

https://freedom.press

4 of 16

Rubric #2: Which Door Do They Use?

https://freedom.press

5 of 16

Back door

  • Lawless actors act with impunity
  • No problem with hacking
  • Can use retaliation or threats of physical violence to get data

https://freedom.press

6 of 16

Front door

  • Lawful tactics in a rule-of-law jurisdiction
  • Uses legal requests (subpoenas, warrants, requests for production) to get data.

https://freedom.press

7 of 16

Rubric #1 + Rubric #2: Likely tactics

https://freedom.press

8 of 16

Who concerns you? The Troll

Time: 1 dedicated person

Money: Low

Technical skill: Unsophisticated, self-taught

Tactics: Due to lack of technical skill, relies on social-based attacks like harassment and phishing

https://freedom.press

9 of 16

Who concerns you? Intelligence

Time: 1 dedicated group

Money: High

Technical skill: Top in-house experts and/or external contractors

Tactics: These actors will use legal means to get your data, but also has the resources to deliver malware or other surveillance methods (in-house or contracted)

https://freedom.press

10 of 16

Who concerns you? Law Enforcement

Time: 1 dedicated group

Money: High

Technical skill: In-house experts

Tactics: Expect them to lean on the legal system to get your assets (subpoenas and warrants to platforms for your data, device confiscation)

https://freedom.press

11 of 16

Who concerns you? Corporate Figure

Time: 1 dedicated group, can outsource

Money: High

Technical skill: Outsourced experts

Tactics: Has the resources to contract out to surveillance professionals like PIs; they might use the legal system to harvest your assets

https://freedom.press

12 of 16

Who concerns you? 1337 Hackers

Time: 1 dedicated person,

Money: Low-High

Technical skill: Expert

Tactics: This person has the skills to pull off social and technical attacks to get at your assets. They don't tend to, or have the power to, use legal methods to get assets

https://freedom.press

13 of 16

Assessing your risk aka “Threat Modeling”

Assets: What do I have to protect?

Adversary: From whom?

Resources: What resources does my adversary have?

Likelihood: What is the likelihood my adversary will target me?

Ability: How far will I go to protect my assets?

https://freedom.press

14 of 16

What do I have to protect?

Who am I concerned about?

How likely is this adversary?

What are their resources? Likely tactics?

What would the impact be? (Low, medium, high)

What resources do I need?

https://freedom.press

15 of 16

Rubric #3: Bullseye Mapping

https://freedom.press

16 of 16

Bullseye Mapping

  • Helps visualize who has access to what
  • Different communication channels will be required
  • Agree how to communicate beforehand

https://freedom.press