Threat Model Assessment For High Risk Journalist In Hostile

Create a threat model by assessing your adversaries’ capabilities (state surveillance, ISP monitoring, physical targeting), identifying attack vectors (device seizure, source compromise, metadata exposure), and implementing layered defenses: separate reporting device with clean OS, Tor for communications, encrypted storage with plausible deniability, and operational security protocols (regular pattern-breaking, location variation). Document your threat model, update it as conditions change, and maintain emergency exfiltration plans with trusted international contacts.

Understanding the Threat ecosystem

Journalists operating in hostile countries face adversaries with significant resources, including state-level actors, intelligence agencies, and coordinated non-state groups. Your threat model must account for adversaries capable of:

Subpoenaing communication providers
Compromising local ISP infrastructure
Deploying surveillance malware
Physical surveillance and detention

Unlike corporate security, you cannot rely on perimeter defense. Your threat model must assume compromise and design systems that minimize damage even when an adversary gains access to some components.

Building Your Threat Model

Step 1: Asset Identification

List everything an adversary might want to access:

# Example asset inventory structure
assets = {
    "communications": ["email", "messaging", "voice"],
    "location": ["GPS", "cell tower", "IP geolocation"],
    "identity": ["real name", "pseudonyms", "social connections"],
    "sources": ["communications", "meetings", "documents"],
    "work_product": ["drafts", "investigative notes", "photos"]
}

For each asset, assign a criticality rating. Source communications typically warrant the highest protection, followed by drafts and notes containing sensitive information.

Step 2: Adversary Profiling

Identify who might target you and what capabilities they possess:

Adversary Type	Capabilities	Typical Targets
Local government	Legal coercion, ISP access, malware deployment	All communications
Foreign intelligence	Zero-day exploits, infrastructure compromise	Source contacts
Criminal groups	Physical access, social engineering	Location, identity

State-level adversaries deserve the most conservative assumptions. If your adversary can compel cooperation from major tech companies or compromise undersea cables, assume standard encryption may not suffice.

Step 3: Attack Vector Analysis

Map how adversaries might access your assets:

Network-level attacks:

SSL stripping on HTTP connections
DNS manipulation and man-in-the-middle attacks
SIM card cloning and SS7 exploits
Compromised VPN servers

Endpoint attacks:

Device seizure with forensic extraction
Malware through spear-phishing
Supply chain compromise of devices
Physical surveillance with keyloggers

Social engineering:

Pretexting against contacts
Romance honey traps
Impersonation of sources or colleagues

Practical Countermeasures

Communications Security

End-to-end encryption remains essential, but implementation matters significantly:

# Verify Signal verification codes visually
# Generate QR code for contact verification:
signal-cli -u +1234567890 verify +0987654321

# For sensitive communications, use ephemeral messages
# and verify device keys on every new conversation

Consider that encrypted communication metadata—who you contact and when—reveals substantial information. Use mix networks like Tor for sensitive browsing, and route traffic through Tor when accessing email or messaging services in hostile environments.

Device Security Architecture

Design your device strategy assuming seizure is possible:

Primary device: Clean OS installation, minimal software, encrypted storage
Burner device: Cheap phone with prepaid SIM, used only for travel
Air-gapped machine: Offline computer for sensitive document work

# Full disk encryption with LUKS on Linux
cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 secure_volume
mkfs.ext4 /dev/mapper/secure_volume

# Use separate encrypted containers for different threat levels
veracrypt --create sensitive.container

Enable remote wipe capabilities but understand their limitations. IMEI-based remote wipe can be blocked by adversaries, and cellular connectivity may be jammed during detention. Physical security measures—device locks, secure storage—provide the final layer.

Source Protection Protocols

When communicating with sources, establish protocols before sensitive conversations:

# Example secure meeting protocol
def secure_meeting_checklist():
    return [
        "Power off all devices",
        "Remove battery from phone (if removable)",
        "Meet in location with no surveillance cameras",
        "Use counter-surveillance detection",
        "Establish dead drop procedures",
        "Agree on compromised communication signals"
    ]

Dead drops—predetermined locations for document exchange without direct contact—reduce communication metadata exposure. Combine with reasonable deniability protocols that provide plausible explanations for any discovered activity.

Operational Security Procedures

Develop routines that minimize exposure:

Rotate phone numbers and email addresses regularly
Use pseudonyms for sensitive work
Segment social media presence from professional identity
Minimize digital footprint before high-risk assignments

# Audit your digital presence with reconnaissance tools
# Check what information is publicly available about you
# Use Wayback Machine to review historical content

Incident Response Planning

Prepare for the scenario where your security fails:

Evidence preservation: Know how to document violations
Contact protocols: Establish emergency contacts outside adversary’s reach
Source safety: Have procedures to warn compromised sources
Device recovery: Know remote wipe and lock commands
Legal preparation: Research privacy laws and encryption regulations

Create a security cone—a set of trusted contacts who can trigger pre-planned responses if you become unreachable. This provides resilience against detention or forced communication.

Signal Verification and Trust Models

Signal provides end-to-end encrypted messaging but requires you to verify contacts’ keys to prevent man-in-the-middle attacks. For high-risk journalists, key verification is non-negotiable.

# Signal security number verification
# On both journalist and source devices, compare security numbers
# This 60-digit code ensures you're communicating with the right person

# Example: Generate security numbers for verification
signal-cli --show-device-identifiers +1234567890

Trust existing contacts in person before establishing Signal communication. Meeting physically in a secure location to verify security numbers prevents adversary interception during initial contact establishment.

Maintain a written record of verified contacts’ security numbers in a secure location—a hardware-encrypted USB drive or paper notebook kept in a safe. If a device is compromised, you can verify contacts through this backup record.

Physical Countermeasures

Digital security means little if physical security fails. Design your workspace accordingly:

Communications location security:

Conduct sensitive conversations in locations where you’re not under observation
Use counter-surveillance techniques: vary travel patterns, use different routes, check for surveillance
Conduct meetings in locations with legitimate reasons for your presence (coffee shop, library, government office)

Device security:

Use a Faraday bag when traveling with sensitive devices—blocks RF signals and prevents remote activation
Keep devices on you or in your direct control—never leave them unattended
Use full-disk encryption that requires a password even after forced shutdown

# Full disk encryption command (Linux)
sudo cryptsetup luksFormat /dev/sda1
sudo cryptsetup luksOpen /dev/sda1 secure_storage

# Even if device is seized, data remains encrypted without password

Asset Categorization and Separation

Separate your digital assets by risk level:

# Asset categorization for journalists
assets = {
    "RED (Highest Risk)": [
        "Source contact information",
        "Unpublished investigative notes",
        "Encrypted communication keys"
    ],
    "YELLOW (High Risk)": [
        "Published work",
        "Professional contacts",
        "Meeting notes with timestamps"
    ],
    "GREEN (Lower Risk)": [
        "Public biographical information",
        "Social media presence",
        "General writing samples"
    ]
}

Store RED assets on air-gapped devices with physical access controls. YELLOW assets can be on encrypted devices with careful network isolation. GREEN assets can exist on devices with network connectivity.

Emergency Preparation

Prepare for scenarios where your security is compromised:

Indicators of compromise:

Unexpected device behavior (unexpected reboots, strange processes)
Interception of source communications (source reports government contacted them)
Physical surveillance indicators (following vehicles, repeated faces)
Network monitoring signs (DNS failures, unusual latency)

When compromise indicators appear, activate emergency procedures:

#!/bin/bash
# Emergency security lockdown

# 1. Cease communication with sources
# 2. Disable all networks
sudo systemctl stop networking

# 3. Document time and indicators
echo "$(date): Emergency activation - suspicious network activity" >> ~/.emergency_log

# 4. Boot into restricted mode
# (requires pre-boot configuration)

Have a secure communication channel to your support network—journalists’ organizations, legal counsel, international press freedom groups—that you can activate if detained.

Long-Term Operational Sustainability

High-risk journalism is emotionally and technically exhausting. Unsustainable threat models fail over time when operational fatigue sets in.

Be realistic about what you can maintain:

Use automation for repetitive security tasks (backup scripts, key rotation)
Establish routines you’ll actually follow (device updates, password changes, contact verification)
Work with organizational support—don’t shoulder the entire threat model alone
Cycle between high-vigilance periods and recovery periods

A threat model you follow 80% of the time provides better protection than a perfect model you abandon when overwhelmed.

Resources and Support

Organizations providing support to journalists in hostile environments include:

Committee to Protect Journalists (CPJ)
Freedom of the Press Foundation
International Federation of Journalists
Article 19
Reporters Without Borders

These organizations provide direct support, financial assistance, and sometimes physical relocation for journalists facing imminent danger. Establish relationships with these organizations before you need them.

Built by theluckystrike — More at zovo.one