Reminders and Upcoming Dates
Last class of the semester! Whew.
Your final drafts of your stories are due next Thursday by midnight. If you want additional editor feedback on your story before you file it, you can sign up for a one-on-one meeting with me here.
For our final class today, we’ll be quickly going over how to send encrypted email and then finishing by doing a few risk assessment scenarios.
Encrypted Email
If someone were to hack my email today, they would see that I received this message:
Date: Thu, Dec 3, 2020 at 3:47 PM
Subject: Verify your email address
To: Emily Johnson <[email protected]>
—–BEGIN PGP MESSAGE—–
wcFMA6CoWyWeakLXAQ/9FsutIcCKMy9ox54hpgt5c5vlyb8dJ3CilCkui0vq
mBF7fzTCwLPP59Ph8soOxa1Aws27dmNkFTmB1KrK4unm2bQUFJKT3su3xei+BgANL+leBSmf8TpH47P3sXU1O6v1vKKU1IGa9QjTu+jK1GEt4CHqICK9z64C1Nfbs91qt2iWY8XBmKoMno5VW1jM/1VahCmxB+iMvtQx0m7nNT5EnOv4JXR9TwVD5ESoDer4XexAgpyofA04+ZnyBXAA1SDIh5DoVh5ca2hJ3yI5p3KTLbXsnpG8lY5fX4g4l+v7o01hMVOlrlKQj0EDLTYaSsmpqqMTuk177k+qHcuWiiL1woLgXfVTyzKsKGqq05UlD4cQzD7XL/iOkg/5/KD7lpzMLewau6fViLKiCa65Ictra8M4ojGUQ9h6hrctFmtrC3VWUadRuQvqTAjBYrSu+A3cMTI4OvA9BPqvJuORF/wBaASMdVuygnugtuMmKj1wozJT+htYfCXXAmmqDqxaONYx5qlF/UKjghS/vwuPXtvfBBT3yCRkOQCi7e/8KO+z0O7TVndQphfwzxttnKDl2lT3OqYwnpHqX9elaY79RJbwHIanIt5QWvIlTdnBuS4sky5Q6SuWpHgXgIk2DmnuguFOmjOI27K7wqi2tjNoBjPgHPuCz3lq0QC3PZbmzmIrdMnSwRQBhUusP8srUMwVa1/18MWvl8Kl35HWYjN4yCcRbbRCW9RSq3OeR0BHM+ffPa/+weEKu3boMGOVvQBQ4sBYmNYJ0jHTiIatJ2Coa85AlJiTEdvEw5/xXy49wfyNhuwNRWu1yM+nfgxPbAlX/oOu0KR+GnN5/AvPHX40O6uuIADm82Z/ah9Z3ZvjkxmNwss7Jh0dTF87+3MUDby0UmAYz2FuFYXnOcA8KG31Y5RksQ1YQ4Z18wZbNvFcvS1haCs4+SjLvV6NdfinlZDDpBi5irBOni6KTkt/Ev1qfgPUegoACA6xEbOlM0yNx7ugUaO5F51yRdQSGlsNl1A0s9DGPTqDHP74A81ldhGpb73CDZkSOFTmz8eBBLb/E1DrxOyRYpmIGg6zngviL7Ir2VP0blaY0vNaoUziwfMlevaGg/t90G6197N5FeElUaE6li9JOhI+oDWJ8KzGZmMX4WA6StcVCdbuL1xdOzHBxubzVX6VrykoBKov28ntILgUkgKv2bp73yu6LgiRFknJ1Axh5OTicWzMVEMMBGt2LHJlGOtlYqJQyp1AXcXkwdA6ssjDPRQYvd5NK1TMQ7f4hxVtL/8/XfpzSTMJRcAfuyQBuQOaFhDKQ4==i2T4
—–END PGP MESSAGE—–
It looks like total nonsense to the hacker, which is the goal. But if I use a browser extension called Mailvelope and enter the password for my private key, I can decrypt the message and see that it says this:
Hello Emily Johnson, please verify your email address [email protected] by clicking on the following link: https://keys.mailvelope.com/api/v1/key?op=verify&keyId=fa3abceedb22a2a5&nonce=d4461f188cb521264a9c315f7ffd4d1f After verification of your email address, your public key is available in our key directory. You can find more info at keys.mailvelope.com. Greetings from the Mailvelope Team
Not the most exciting reveal. I just set up a new public key with Mailvelope, and this was the confirmation. But it works the same way if I’m, say, receiving sensitive information from a source and worried about a foreign government (or my own) accessing that information.
From Mailvelope’s tutorial:
In order to communicate through encryption, you have to “seal” your message in such a way that only the recipient can access it. You need the so-called “public key” of the recipient so that your message can be encrypted and sent securely.
Only this recipient has the “private key” associated to this public key. This “private key” allows the recipient to decrypt and read the message. In PGP / Mailvelope we therefore always speak of key pairs:
- Public Key – used to encrypt messages. It can and should be accessible to everyone!
- Private Key – used to decrypt messages. It must be securely stored on your computer (this is handled by Mailvelope). Access to your private key is also protected by the password that you chose when creating the key.
If you want to send an encrypted email to someone, you need to know their public key, or know their email address is linked to a public key that is already in a database like Mailvelope’s.
I want you all to take a few minutes and follow these instructions to install the Mailvelope browser extension, set up your public and private keys, and send an encrypted email to me at my [email protected] email address (which is already in the public key database). I’ll be using encrypted email to send you your final grades, so make sure you learn to do it correctly! 🙂 And don’t lose your private key password, because it cannot be reset.
Risk Assessment
ACOS Safety Standards can be found here, along with a list of signatories:
https://www.acosalliance.org/the-principles
Item #4 is this:
Journalists should work with colleagues on the ground and with news organizations to complete a careful risk assessment before traveling to any hostile or dangerous environment and measure the journalistic value of an assignment against the risks.
The Rory Peck Trust has a helpful and very thorough breakdown of what a risk assessment might include, along with a template: https://rorypecktrust.org/freelance-resources/safety-and-security/risk-assessment-security-protocol/
In-Class Exercise:
Creating a risk assessment and risk mitigation plan
Split into breakout rooms to discuss three real-life reporting assignment scenarios. Come up with lists of risks and corresponding mitigations.