Tech

How national-security reporter Barton Gellman protects his sources

The Pulitzer Prize-winning journalist reveals his security arsenal.

Photo of Patrick Howell O'Neill

Patrick Howell O'Neill

Article Lead Image

A decade ago, before Edward Snowden leaked a single document, Barton Gellman was using encryption and anonymity tools.

Featured Video

That alone put him way ahead of his competitors.

The Washington Post reporter and three-time Pulitzer Prize winner has been reporting close to the heart of power in Washington, D.C., since 1988. Covering the Pentagon both before and after 9/11, Gellman’s decade-long work on the War on Terror made him a particularly sharp choice for Snowden who revealed to Gellman America’s vast surveillance apparatus through the 2013 NSA leaks. Given Gellman’s resume, it makes sense that he’s been security-conscious for a long time.

Almost two years later, Gellman continues his work with more of a mind for security than ever.

Advertisement

He began using encryption tools long before most of his colleagues, but “since the Snowden story broke I’ve had to step up my game,” Gellman told the Daily Dot.

Barton Gellman’s security tools

Encryption—using math to turn data into a secret code—is the foundation from which Gellman builds security. The problem is that too often encryption is prohibitively difficult to understand and use so that even those who need it most get lazy and stick with easy-to-intercept default settings.

For that reason, Gellman prefers his security tools to be both strong and easy. To that end, his secure contact information is available for anyone to see on his Twitter profile along with his preferred tools.

Advertisement

Crucially, Gellman talked exclusively about free and open source tools. When it comes to security, open source—a program that has its code freely published to be reviewed by anyone—is key. While open source doesn’t guarantee perfection, it does mean that software can be thoroughly audited by a wide community that will point out any vulnerabilities and backdoors that’ll put you at risk.

Advertisement

Closed source means you have to trust the software’s creator. That’s a big ask for companies that have cooperated with spying in the past. Open source means you and the entire security community can dive in and find out what’s really happening for yourself.

“I’d recommend that any reporter—anyone, really—use encrypted messaging by default on a smartphone,” Gellman wrote. “For the moment, the best in class apps are Signal for iOS and TextSecure for Android.”

Both Signal and TextSecure are created by Open Whisper Systems, an open-source project whose tagline sums its mission up beautifully: “Security, simplified.”

Signal and TextSecure make good default text messaging apps. When your partner is also using the app, encryption is automatically attempted. It’s incredibly easy and works across platforms.

Advertisement

When Gellman has to move beyond text messaging, Signal for iOS and RedPhone for Android provide strongly encrypted phone calls. Also created by Open Whisper Systems, RedPhone is distinguished by its combination of ease and power.

When Snowden spoke about encryption tools at SXSW 2014, he was optimistic in large part because of Open Whisper Systems.

“I think we are actually seeing a lot of progress being made here,” Snowden told the conference. “WhisperSystems and the Moxie Marlinspikes of the world are focusing on new user experience, new [user interfaces] and basically ways for us to interact with cryptographic tools.”

The NSA weighed in publicly too, albeit involuntarily. 

Advertisement

A December 2014 Der Spiegel article showed internal National Security Agency slides calling RedPhone a “major threat” that can be used with other tools to cause a “near-total loss/lack of insight to target communications, presence.”

“It’s satisfying to know that the NSA considers encrypted communication from our apps to be truly opaque,” Open Whisper Systems founder Moxie Marlinspike told Der Spiegel.

For email and other similar communications, Gellman has a few different options.

To secure emails against surveillance, his 4096 bit PGP key is available on his website. PGP (Pretty Good Privacy) provides strong encryption and is used religiously within the security community. However, it has a few key flaws. Among them, PGP is not easy to use, keys have to be exchanged, and the average person may be turned off by the learning curve.

Advertisement

To fix that problem, Gellman is turning to something much more novel.

“For email and file exchange on a computer, Peerio is new, and not tested by time, but it’s promising because it’s so easy,” Gellman told us. “I’ve persuaded people who would never learn PGP to try it.”

Peerio, a cloud-based encryption program, has been called “dead simple.” It’s designed to make encrypted communication and file sharing as easy as can be.

Gellman also uses another new security program: Pond, software designed to improve upon the old PGP email model. Pond, which runs over the Tor anonymity network, is still in a testing phase.

Advertisement

That brings us to one of the granddaddies of security: Tor. 

Tor provides anonymous Web browsing, meaning Gellman won’t be easily identified when he visits any website. Better yet, contacts can stay hidden as well, making it easier for whistleblowers to get their message out without stepping too far out of the shadows.

Gellman also employs SecureDrop, a private information exchange system utilizing both Tor and PGP. Maintained by the Freedom of the Press Foundation, SecureDrop is meant to make it easy for a whistleblower to submit documents and for journalists to accept them from anonymous sources. SecureDrop works over both the open Internet and anonymously over Tor.

“For maximum security when it really counts, the best integrated tool I know is TAILS,” Gellman said.

Advertisement

Neither simple nor easy, TAILS is nevertheless a uniquely powerful and secure operating system. It works by temporarily replacing operating systems like Windows or Mac OS X. TAILS forces all of your connections through Tor in order to anonymize and protect you. When you’re done using TAILS, you simply remove the DVD or USB stick it’s stored on, and it’s as if it was never on your computer.

If you want to know how the NSA views TAILS, one line from a slide leaked by Snowden in 2013 says it all: TAILS “is a comsec mechanism advocated by extremists on extremist forums.”

That’s spy-speak for “TAILS works.”

“But security is not all about tech and gadgets,” Gellman said. “It’s about habits. When the stakes are high, reporters are going to have to learn a lot more about what an adversary can do and become disciplined in the way they respond.”

Advertisement

In an effort to not give too much away to any potential adversaries, the final pieces of the puzzle are left hidden by Gellman: “There are some details I would not talk about anyway.”

Screenshot via Frontline/PBS

 
The Daily Dot