Security researchers are hypocrits: we don’t follow our own advice. Privacy advocates don’t bother with tracking protection, and cryptographers don’t use cryptography; we don’t apply security updates promptly, we don’t pin SSL certificates, and we don’t use DNSSEC. It’s fair to suspect that if you don’t eat your own dogfood, it can’t be any good.
One of the interesting consequences of the Snowden affair is that we’re getting a chance to see, vicariously, what it is like to actually live a security-conscious life. The journalists working with Snowden are facing a degree of hostile scrutiny from government agencies that security researchers have never had to deal with, and they’re writing about it. It’s not quite the same as being Snowden, but it’s the next best thing.
Laura Poitras, the documentary film maker, played a crucial role in getting out the Snowden leaks, due to her experience as a surveillance target. Her experiences and countermeasures are described in this New York Times article.
We also have this account of the detainment of David Miranda, who apparently was given some electronic documents by Poitras to pass on to Glenn Greenwald. The UK government claims that Miranda had in his possession a password written on a piece of paper, and that this password enabled them to decrypt a single file (out of 58,000). In a case of the pot calling the kettle black, they claim that this is “a sign of very poor information security practice.”
Finally, Bruce Schneier has revealed that he is working with The Guardian on the Snowden documents, and has started to implement security measures himself. I’m looking forward to seeing whether a security expert will fare any better than your average journalist.