Disclaimer

I won't speak about everything we've discussed, for people lives are at stakes. Also, as usual when things are done with orgs, I mostly spoke with people, not the entire organisation. And, since they're not robots, their view does not reflect the view of everyone behind the AFP name.

I had a lunch meeting

Yeah, again. But this time with different kind of people. After the discussion via different media I had with AFP (my views and part of theirs are here), we came to the conclusion that we need to talk with a cold head.

So, they invited me for a lunch. It's perfect if you want to keep it short in fact, and usually people are more available.

So, there was three of them: one field journalist who works in Middle East, the head editor in social media and one of their IT guy, specialized in security. All of them are nice and interesting people and they do understand the issue with Skype.

AFP is an old lady

AFP is an old lady, crippled with habits and prejudices. And things will move, but they won't move fast. I know there are people who thinks it will be to slow, but I'd rather have them starting a real reflection about protecting their sources, even if it takes years, than moving without thinking it through.

Also, a lot of people there are not understanding the problematics around new media and internet. AFP have offices in a lot of places with issues about freedom of communication (China, Lebanon, etc.) and they had done it for years (they worked in USSR for instance) and so, they're quite aware of the problematics about protecting their sources.

It's an old lady, and like every old lady, they're experimented and, sometimes, a bit arrogant toward the youngest. But who doesn't?

AFP is an information system

Like every corporation. But when you manage information system, you must be aware that you can only manage the information inside your system. I cannot manage information coming from your blog, I can do it only from mine.

Same goes for AFP, they can do whatever they want to protect information, once it has reached one of their entry point (which is basically reporters and journalists on the field). They cannot do a lot of things about information coming from the outside.

So, for the part that's inside AFP, they do use VPN, and they've blacklisted Skype from their networks. They have strong security and encryption measure to protect the data received by a journalist, once it has been gathered.

The issue with gathering information

The problem is when they need to get in touch with people. Or, in fact, when people want to get in touch with them. According to their experience, it started in Libya. Rebels there wanted to have their voice heard so they began Skyping everyone (from Reuters to AFP, going through each international media they were able to reach).

The opponents were using Skype on their own because it is convenient. It's installed every where and it works without question (which is, for me, a sufficient reason to not use it) and the AFP's arguments is that, if they want information, they have to accept Skype's call.

What can be done

First, they have, I think, a good approach of security, trying to have a process around that, to define simple good practices and tips that can be used easily.

Second, I told them that they should run their own free services for people outside the AFP to reach them. Like deploying SIP or ZRTP servers, etc. And to define them as the default entry point for external people (on the contact page for instance).

Third, they need to find a way to open a secure channel over insecure ones. It's not that easy, and it needs cooperations from the people on the field. Basically, if an opponent reach them and can have a short contact to give all the information they want to transmit, it's OK. A 30s phone call will take several minutes or hours to be detected and analysed. If not, they should use it to define a different way of communication. Whatever it is.

The thing is, it'll be viral. If opponents get on the habits of using unusual channel to communicate, they will do it with all their contacts. It will spread and then, other agencies will do the same thing, slightly enforcing those habits.

Fourth, we will stay in touch for other events like #Jhack, for them to share their experiences and for hackers to try to learn them fun way to protect themselves and sources.

Fifth, they shoudl avoid using trademark as protocol name. They contact people by VOIP, not Skype. It is an information that have nothing to do with journalism.

Conclusion

We, has hackers, must keep an eye on those old organisations. And, instead of slapping them hard, we should try to show them a different way they could explore by themselves.

I won't work with AFP, for I have no time for that, and they have competent security people. But I will stay in touch with those people I met, sharing experiences and working around issue we can meet.

---

Correction made by @NectarineFoofyB

Stop killing people, stop using Skype!

A journalists friend of mine pointed me to a news flash from AFP - REF: 29578 DVBP 729 GLN20 (4) AFP (295) , if it means something to you - in which they killed someone. Or, if it's not the case, he will be killed soon.

Why? First, they used his full name in the text, and the city where he lives. This is, in essence, like putting a target on his forehead and waiting for snipers, tanks and/or mortars to kill him.

But worse, they used the infamous malware named Skype to contact him. Besides the huge privacy issue related to using something that has been 'accidentaly' deployed in the last Windows Update, it is of public knowledge that Skype is used as a trojan to identify and hunt activists in Syria. The EFF posted about it, kaspersky, posted about it, even the original writer of the tool used inside Skype to deploy the Remote Access Tool has wrote about it along iwth a removal tool.

So, journalists now knows, for month, that it is dangerous to use Skype. It is also dangerous to use closed and proprietary software. A lot of people are telling this for months now and even make propositions to use alternative, free and decentralized systems, because it is the only way to enforce some bits of privacy.

You are a fucking idiot AFP

So, enough with the polite arguments. Each and every time someone uses Skype, Twitter, Facebook, MSN, Gmail or any other widespread and centralized system (it includes relying only on one XMPP servers, or status.net one) they're putting their sources in danger.

So, fuckers, YOU HAVE TO STOP THIS. Get your fingers out of you ass. Just think and do your jobs. You're destroying everything that people are trying to do by being a lazy asshole full of selfishness and thinking without brains.

Stop that or I'll go after your family and smash them with Apple hardware (since it appears they can be used only to slap someone).

You knew that Skype is dangerous. But you did that call. And you put the name. You've killed the person who trusted you, you're not better than the ones that are killing people in the street.

Addendum

It appears that the interview is exploited among various flash news, you can find one here (without going through a paywall)

Also, people might want to know what are the risks. Since it appears some are lazy enough tonot use seeks I've done a quick search and found all of those:

• https://en.wikipedia.org/wiki/Skype_security
• https://www.schneier.com/blog/archives/2011/12/skype_security.html
• http://www.guardian.co.uk/technology/2011/mar/16/skype-security-weaknesses-vulnerable
• http://www.securityfocus.com/columnists/357
• https://www.computerworld.com/s/article/9012239/How_dangerous_is_Skype_

It took me 20 seconds to find those. Also, if you're looking for ways to communicate, there is two links I recommend:

• https://cryptoanarchy.org
• http://jhack.info/wiki/doku.php

Replies

Ok, so @afpfr did reply me. Nice of them. Here are their tweets (they also replied to Telecomix and Ju).

Basically they wanted me to contact them first, and then they said that their contact had no issue with the publication of its identity, adding that this identity is a pseudonym.

So, I do not think getting private on this issue will have them answering anything and changing their habits. Also, if it's a pseudonyms, it is to make the sources unidentifiable. So, why writing down the pseudonym? And if their contact always use this pseudonym, the mukhabarats can get after him, arresting people to torture them and to make a link between his ID and his pseudo.

Also, I have no personal issue with the AFP. I have one with each and every person that will put someone in danger, because they are too lazy to think and use free software.

Moar Replies

Yeah, I know. But AFP did a long reply and I think it's interesting. You'll find the text in FR here and I think it is interesting.

First they did a long reply, which means, we got their attentions. And it also means they're concerned about it. So, I'll do a point to point reply, translating the text on the go. Because I do think that things can change.

Lots of internaut were flaming against the AFP, on the second of July, accusing them to put in danger the life of a Syrian opposition member.

Telling that the rage was overrated does not change the fact that you did put his life in danger.

In a flash news from Beyrouth, titled « Homs is still under fire, some injured people are amputated (militants) » and published Monday at 08:50 AM GMT, a militant from the bombed Syrian town gives us his testimony :

"A lot of district in Homs are still besieged and it's very hard for us to bring food and drugs in" Khaled al-Tellawy told AFP, a militant from Homs contacted by Skype.

Dozen of people, on Twitter and in blog posts, were outraged, sometimes in harsh and insulting terms, because of the fact that the AFP were namely quoting this Syrian opposition member. They also criticized the AFP of using Skype, a communication system that some judge unsafe regarding the terms of use. The syrian government is suspected of having create some malware that grants him the possibility of easily locating militants when they use Skype.

Ok, I do accept that I've missed the pseudonym part (but then, having a pseudo or 'one guy' is the same). But, when you're saying that some people thinks that Skype is unsure, you're missing the point.

Skype is a trojan. It's a free (as in free beer) tool that grants user to communicate using non-standards VoIP protocols. It grants a user to share almost anything via Skype. From text message, to sharing desktop, going by voice and video. It is now a subsidiary of Microsoft. And we all know that Microsoft works with each and every government, for instance in Tunisia.
And the FBI Use Skype as a surveillance tool

Besides, there are documented cases of Skype being used as a trojan in Syria to target activists there, the EFF spotted some of them:

• https://www.eff.org/mention/syrian-rebels-targeted-using-commercial-skype-trojan
• https://www.eff.org/deeplinks/2008/10/chinese-skype-client-hands-confidential-communicat(ok, this one is in China, but still)
• https://www.eff.org/deeplinks/2012/05/fake-skype-encryption-tool-targeted-syrian-activists-promises-security-delivers
• https://www.eff.org/deeplinks/2012/06/darkshades-rat-and-syrian-malware

Sammy Ketz, directeur du bureau de l’AFP à Beyrouth où a été rédigée la dépêche, réfute toute accusation d’imprudence.

Sammy Kets, head of the AFP office in Beyrouth where the news was redacted, denies all accusation of carelessness.

« We explicitly asked him the autorization to quote him. He granted us this right, given that Khaled al-Tellawi is, of course, a pseudonym. Tellawi being a Syria area » explained Sammy Kets.

« None of our interlocutors gives us his real name and they choose their pseudonyms by themselves » he add. « It is the militants who are trying to contact us by all means possible and they invites us to join them on Skype. It is, most of the time, their only medium of communication with the outside. It is a wrong trial for an agency who always tried to protect their sources, especially in a conflict as dangerous as in Syria. »

So, why don't you publish the pseudo of all your sources on each press release? I mean, if it's so important for a good information, why all the journalists aren't publishing the name of their sources, even if it's a pseudonym? I mean, it appear to be a common practice, since AFP is a traditional with good repuation press agency, right? I might missing something, right?

We should asks mediapart and Le Canard Enchaîné to disclose each sources they have also. After all, this is how good journalism is done if I follow your thoughts. AFP, you might be kidding, or on crack to think that.

Also, if someone goes in the middle of a street while a truck is going to smash him. You warn him, you try to push it out of the way, you just don't let him right in the middle of the road. So, the argument they reach you via Skype is fallacious. You should use this contact to establish a secured communication with them.

« We're using Skype daily to communicate with Syrian rebels, as we've always done before in Libya and to this days and no one else have ever blamed us for that » add Jean-Louis Doublet, AFP chief editor for the Middle East

We've already blamed anyone for using Skype, through the @telecomix status.net chan, this blog or through a lot more media (even Richard Stallman warns anyone against Skype at the Jhack second iteration). So, you knew it and you were already blamed for that. But know, you are listening, so you'll learn (I hope).

And the fact you were doing mistakes before, does not mean they weren't mistakes.

« Opponents are necessarily concious of the dangers of using Skype. But it's that or be totally cut of the outside world. In this country, everyone is risking their life » he pursue. « All the media are using Skype to speak to Syrian opposition. Accusing AFP to do it is specious. If someone wanted to forbid us to spread the opposition words they would not do anything else. »

No, opponents are not necessarily aware of the dangers of Skype. But you are. It is your duty, as journalists, to establish secured channel of communication with your informants on the ground. You cannot assume that people are doing what they should, or we won't have conflict everywhere.

The fact that everyone is doing a mistake, does not make the mistakes the right things to do.

And, well, I do not want to shut any contact with Syria. I just want people to think about the way they're communicating. Telecomix and the WorldNeighbourgHood have permanent contact with activists on the field, using more secure chan.

With Telecomix, we are trying to make people aware of more secure way of communication. Since 15 months we're also building communication channels that anyone can use. You do not even have to asks us the permission first.

But yes, it means, you have to think first and act then.

---

Edited to add the various links at the end (2012/07/02 16:37 Paris time) Edited to add the replies. (2012/07/02 17:39 Paris time) Edited to add the more detailled reply of AFP (2012/07/02 20:22 Paris time)

Introduction

So, yesterday, the regular Jhack crew set-up an event with Richard Stallman to talk and exchange around the issues involving Free Software and Human rights.

And, as we want to build and keep history (also, it was a week day, so some people can't come physically to the nice place we've had for the occasion), we wanted to stream.

When it come to streaming something, it usually sum-ups to having a cam, connected to a laptop of a sort and which then send it over a more or less closed source application. Everything ending on the web in a flash player (website like Bambuser or Ustream are doing a great job to broadcast video from revolutions, but I cannot see the video there for I have no flash, please people, think HTML5 now, also this is why [TBS][] uses HTML5 and not a flash player).

And I do not wanted that. There might be a way to do it, without using the horrible command line tool gstreamer (I cried tears of blood last time I wanted to use it).

Also, I was surrounded by apple products (Journalists, changes your habits! I cannot works like that anymore), none of them being able to be used as I wanted to (meaning, just do something without Apple software). The last thing I add was a laptop with a small cam and an internal mic.

Tools of the trade

Since we were looking for a streaming solution in #opSyria, a part of the preliminary research had been made, so here are the tools that was needed to stream:

• A laptop running GNU/Linux (Ubuntu, not my favorite favor, but let's deal with it) and with included microphone and webcam.
• VLC, because when you need to do some video/sound it is a good tool
• Network connexion. Ethernet over RJ45 with a steady bandwidth is generally a good idea.
• A server to stream to, with a good availability. My choice is [Giss.tv][], free streaming tool. It is based on [icecast][] and can stream .ogg (free container)

 Assembly everything

Once you've find all of the above, the worst oart is done. If you have a powerful laptop, you can even record the stream locally, wasn't needed here since we've got a camera crew working on it.

1. Plug your computer into the network, start it and launch VLC.
2. Visit [Giss.tv][] and create a channel for your need. They will send you all the needed informtion for you to stream.
3. In VLC go in File > Stream, choose your physical device (nowadays, most probably a video4linux2, the cam is ususally in /dev/video* and the sound is your ALSA card (probably :hw0.0). Click on stream
4. Check the display locally check box, extremely useful to monitor and check everything is ok. Stream to a shoutcast server, feel in the details [Giss.tv][] has send to you.
5. You want to transcode to a set of codecs of choice (free one, my choice is Theora / Vorbis)
6. Click on Go. The streaming will start. Go on your interface page on [Giss.tv][] and say ohai to the camera, you're on the TV \o/

Conclusion

I had some pain to manage the network over there (not mine, they're not used to weird people doing strange things with network) and with the CPU power needed to transcode. My good old netbook wasn't powerful enough.

The quality was awful, due to the fact I have nothing best than internal devices. For the next time I need even a cheap jack microphone and a webcam that I could use to zoom on the subject and have better than 2.3 Mpixels.

Also, I need to plug the power cord into a power plug that is actually connected to the electrical network. I have to set this in a bit of a rush and that totally slipped of my mind.

I also need to find a way to do it from the command line. But it works. It's dead simple and it's free. So now, you have no excuse.

If you want a shiny design around these, just put some CSS and HTML around, and it would be enough. But get rid of Flash.

Once upon a time

Once upon a time, the intertubes were the people wet dream, silicon and copper made, connecting each and every computer that could be physically connected to it. The tubes were made to be resilient, even with low resources, and a lot of volunteers worked day and night to maintain it alive.

It was the biggest home made construction. Think about it, from your internet box to any server connected in the world, there's a physical link (once in copper, now in fiber optic), going across oceans and land, sometime the link goes up through a satellite but most of the time, everything is connected in a World Wide Web.

The internet was, back in the time, free to use (as long as you had access to it, you could do whatever you wanted to do), decentralised (if the cable running through the Atlantic was severed, you could still access your side of the internet, and even goes through the Pacific to reach the United States for instance) and without any control (you do not need DNS to publish content, you need people to know how to find you).

And everything was nice, and the RTC modems were singing their happiness song, long time before anyone heard the Nyan Cat.

And then everything goes faster

But states looked at it and realized that people could find any information they wanted to find, not only the one they could more or less control. They find that each reader of a blog is potentially a writer of another blog, or a musician, or a painter and will produce online content to be read by someone else.

But corporations saw that people were duplicating content, because that's the only thing Internet can do: it duplicate content. Whenever you reach seeks, you make a local copy of the content hosted on the server (and yeah, that's why I'm yelling at my fellow colleagues that they must clear their cache). So, corporations saw that anyone were copying anything, not like when you were doing mix-tapes (with a degradation on each copy) or when you were exchanging CDs with your friend (because, then you have no access to the physical item).

Corporations were upset and they killed the cat with headphones, aka napster. They, in fact, did something good for internet because, then, everyone remembered that internet is decentralized and that sharing must be decentralized also. So, emule and bittorent rises from the ashes of napster. No more single point of failure in the exchange process.

Corporations wouldn't just let it go and accept they needed to change. Instead of changing (and growing up, and going next-level, like Pikachu turns into Raichu to face bigger challenge). So they get in touch with governments.

And they wrote ACTA down. Secretly. Without anyone knowing. They wrote a remote access tool that would inscribed in each and every constitution of the states that will sign it. They wanted to do it without anyone noticing it, because they knew from the beginning that what they were doing couldn't survive to a public debate.

They wrote the only thing that could destroy democracy from the inside, without due process of law or without the people consent. And they almost succeed.

Here comes a new challenger

It would have succeed without the fierce determination of small groups of people. Those are called Liberty Fighter, or Civil Society. One, in particular, is fighting the European Arena, they are La Quadrature Du Net (aka LQDN). They oppose each try of 'cultural lobbies' to hinder our right to communicate.

They fight the Four Horsemen of Infocalypse each day, they're not afraid of tackling our so called 'Elected Representative' in the different places of power in Europe or else where.

But they cannot do it alone. They need your support. It's a full time job to read each law that can kill one of your liberty, to call and explain to our deputies why those laws should not get anywhere near a legal code of a country, to speak and hear in panels all around the world.

So, if you like your freedom of expression, if you like your intertubes being uncentralized and without control, if you like your nyan cat diving in the sky you must support them. And you can probably get a Tshirt for that.

Full disclosure

I'm a supporter of transparency, especially when some meetings can impact other people. So, yes, I had a lunch with spies from the DCRI. French FBI as Mr. Guéant, former Interior Ministry, called them.

They paid for the lunch in a Parisian restaurant (around 20€), and the interview was one hour long (the length of my lunch break) and it was on the 16th of May, 2012.

Sleep in bed with the enemy

The question you may ask is 'Why?', Why would I talk with the enemy? Well, it's quite simple. I always think you have to talk with every one who wants to talk to you, at least to say 'shut up, I do not want to speak with you'.

But, I want to know who's spying on me. They are paid to spy on the population, especially on people who hang in hackerspaces or hacker groups. That's their purpose, that's what they're paid for.

We always assumed that, on any non restrictive channel we could use, there is spies silently recording everything that is said. If you think that's not the case, you're putting yourself in danger.

So, they already know what we're doing and what we are. And, well, the funny part is that, since I tend to publish everything I do, finding what I do is not that hard.

But I wanted to know them. To have faces to look for in meetings to spot them better. To know what they know about me, what they think I am. Sun Tzu said that you have to know your enemy. And they're one of them.

So, that's why I accepted to see them, in public meat space, to have a chat.

What is it about

They wanted to know what Telecomix is, how it's organized. I told them nothing more than what's in the newspaper or in the intertubes already. I didn't mention names or pseudonyms, nor anything that could be legally argued against.

They wanted to know if we had enemies, if we had trouble with threats in real life and they offered their help, which I refuse. They immediately denied that they're spying on people, arguing that they have not enough time or budget for that, which is a lie.

They also denied, too fast to be honest, that they're using an eagle system in France. They didn't liked the streisand effect and the datalove thing, for they seemed to infiltrate radicals political groups and that I could mirror anything that has been censored. They do liked what we've done to fight censorship however, as long as it's abroad.

They were friendly, trying to make me tell them that there actually is a leader, besides Cameron, in the cluster.

I did not spoils them any dark secret of the cluster, for we have none I'm aware of. Stay reassured, I did not told them about the take-over-the-world-agendas we all have.

It happened before, it will happen again

I'll see them again, and I'll try to write about it each time. I'm not sure it went well, but now I know their faces, and I know what their interested into. They do not know nothing more than you can find using seeks.

If it makes you uncomfortable, I do not understand, but that's ok. Run away. I mean, if you're close enough of me to think that you can get in trouble, well, you're already under spying.

It's a cat and mice game we always plaid with them. Let's bring the game to another

level. We need to know them.

Editing, links, some grammar corrections, and I found teh date so added it