Techno-Politics and Journalist Security in Singapore

Read:

• https://sg.news.yahoo.com/singapore-pm-demands-apology-blogger-084428281.html

Three generations of Singapore's top officials have used the tactic of forcefully pushing bloggers and vocal Singapore netizens against the wall via legal threat. Instead of using peaceful debates to proof to the netizens that their accusations are baseless, these top officials of Singapore have chosen to use unrestricted force upon sight to bring down anyone who are against them.

In my opinion, the accused officials should step up and take challenges instead of using unusually forceful means to subdue the views of those they find unpleasing and learn some humility and appreciation for the comments of others regardless if they are nice or not. To prove that the accuser is wrong, they can make their processes very transparent and invite outside parties to audit their systems and processes. If they can take challenges and show humility, not simply trying to get rid of others who they don't like, they will gain respect and respect is key to their reputation. The inverse which is simply being full of themselves and attacking by unusually forceful means would not gain much reputation. They simply look very ugly.

Put it simply, in Singapore, you need to publish articles that will not disagree with the people in power. Disagreement in itself is seen as equivalent to treason here. There is very little security provided to journalists and bloggers who want to post materials that may not be suited to the views of those in power as they may not take lightly any attempts at challenging their power and reputation. Below are some security mechanisms journalists and bloggers can consider below on taking a DEFENSIVE stance to protect themselves and their assets:

• Data hosted in foreign jurisdictions. This means that if someone wants to challenge you to take your data down, you and the aggressor need to obey the legal proceedings of the jurisdiction where the data is hosted. The very nature of jurisdiction if used properly can make it harder for an aggressor to push their way through. You need to pick your data hosting countries properly. Switzerland and Germany is a good place to start. Certain Scandinavian countries would also provide good data protection laws.
• Rally more debate if threatened. Get more attention and more support whenever can while maintaining OPSEC (Operational Security) as posted in this article.
• Data duplication and high-availability options. Create mirror backups of contents that are sensitive. Copy and distribute copies of works as often as you can. Use 7zip, Gzip and other compression formats to compress large data archives and upload them on online upload storage (DO NOT use Dropbox as they are pro-Institutions) and spread the links. Run torrents if you need to. Using this method, if one person (most likely you) go down and brought down, there will be many other like-minded ones who will continue to bring the debate back online.
• Proper use of Cryptography to protect their personal data and the protection of secret keys and passwords/passphrases despite coercion. 7zip archive format includes AES encryption to encrypt your own files with passwords. Have a good sense of password policy (mix characters with 12 characters and do not re-use passwords at the very least). Use of the Truecrypt file encryption utility would save you and make it absolutely difficult for agressors to decrypt your file as long as your master passwords and encryption keys are safe. Do not reveal passwords/passphrases under coercion.
• Use of PGP/GPG email encryption will enable private communications. Make sure to install Truecrypt and create a secure file volume and generate your PGP/GPG ermail encryption keys inside the Treucrypt secure volume so that your secret email keys would not hang loosely in your untrusted PC !
• DO NOT USE THESE ALGORITHMS FOR ENCRYPTION: RC4, DES, 3DES/TripleDes.
• DO NOT SHARE ACCOUNTS, PASSWORDS AND SECRET KEYS !!!
• Do not post something online when you don't want it to be known. Whatever data posted online and collected by aggressors would be used against you to remove your credibility, so for goodness sake, keep your online activities clean from now on and have a good security habit. Try to use HTTPS whenever you can (you can install HTTPS Everywhere browser plugin (https://www.eff.org/https-everywhere) and it will always steer you to a HTTPS connection whenever possible).
• If you are in an untrusted environment, use a TAILS Linux Live CD (https://tails.boum.org/index.en.html).
• Keep a separation between sensitive personal information and public information for goodness sake. If you need an air-gap computer (a computer that has no network by switching off it's network capability or physically removing it's network card and using USB stick to transfer sensitive information) to process sensitive personal information.
• If you are more technically savy, try to setup your own Rubberhose Filesystem (https://web.archive.org/web/20110726185300/http://iq.org/~proff/rubberhose.org/).
• Lastly for this article, all these troublesome security is in place to KEEP YOU SAFE.

Encrypting your files

Encrypting your file system is a good way to prevent attacks from attacking the content of the file system externally where the contents are in encrypted form in the physical devices. The big trouble comes when your file system is decrypted at the moment when you are using the file system itself.


Below are some scenarios that would represent possible scenarios that I have mentioned.


Running your Operating System (OS) while some trojans managed to sneak into your OS. In such a case, even if you have a highly secure encrypted file system, the trojans present an insider threat as they exists within your file system and hide among your protected contents. No matter how strong your file system encryption is, these trojans existing inside your OS could simply grab your files (when you are using the OS, your file system is being decrypted and thus open to attack) that have been decrypted and send them to their owners.


Another scenario is when a user is being coerced into decrypted their entire file system for aggressors to obtain the plain form of the file system contents. File systems that have strategy to partition and trick aggressors via anonymity of ownership of the content (i.e. Rubberhose File System) could address such a problem.


As you can see, file system encryptions have the limitations of preventing people outside from looking into your file system content. I would not wholly ignore or condemn file system encryption as they are to me an external defensive wall.


I would recommend the use of "internal defense" by encrypting the files sitting inside your file system or devices that you think are important so in the events that a trojan slips in to harvest data on you, it would have a hard time decoding the "internally" encrypted files sitting in your file system. 


It would be better if you can encrypt your files on creation so that copies or temporary files and metadata of the contents will have lesser chances of fragmenting and being copied all over your file system as buffer data or simply to sit there for no reason.


Ultimately, these defensive techniques are to delay aggressors or to make it extremely hard for most aggressors to know the truth of your contents. Forceful coercion, human errors, key and screen logging to to detect the password you type into your file encryption program to decrypt those individually encrypted files are part of the arsenal that could defeat the encryption you have placed on your file system and each important files.


The best security is to simply not have it around at all but it is nearly impossible.


To summarise this short article, do not solely rely on encrypting your file system and devices. Encrypt the files inside the file system and devices that you think are important in an event your file system or OS is breached. There is no "ultimate security" for now.