[Former reporter here] I have worked with confidential sources, and there are a number of things you can do, as a whistle blower, to protect yourself.
Phone calls are better than files, generally speaking, and you should be calling from a burner; i.e. a pre-paid phone that is not in your name. You shouldn't even give your real name to the reporter on first contact. Reporters take notes and some of them have to share their sourcing with editors. So be really clear with them how they will treat your real identity, if you choose to share it.
Face to face meetings are sometimes better than phone calls. You should assume, when you're handling highly sensitive information, that the reporter's devices may eventually be hacked, bugged or subpoena'd, so make sure that an electronic trail does not lead back to you.
You should carefully choose the journalists you leak to. The best choice will have to be well sourced. That's because the information you leak to them, in most cases, will have to be confirmed. That is, they will have to call other insiders they know and ask "Is X true?" If they don't have other sources, the information you provide will probably not make it to the public.
Reporters also get contacted by a lot of nut jobs, so early on, do what you must to establish credibility. Trust has to be established both ways.
I'm not quite sure you realize how risky to sources the methods of contact you suggest are. I understand your point of view as a former reporter, clearly you know what works best for the receiving end. But burners without a voice modulator of some sort are very likely a huge deterrent for most potential sources because they don't know whether they can trust the cell network (localisation, voice identification).
Face to face meetings sounds preposterous for someone who would risk prosecution under the espionage act for instance. I know that's a rare scenario, but in more common cases there are still clear inherent risks in meeting face to face with a journalist. And that's not even considering the potential time and costs involved in reaching a journalist with national/international reach.
Regarding nut jobs, that clearly sounds difficult to parse. But at the risk of sounding like I'm hounding on you, there seems to be a misunderstanding on the part of journalists of the kinds of risks sources are putting themselves into.
Worse yet, an underestimation of how much journalists – through their expectations and treatment of source data — passively and routinely put their own sources at risk by being illiterate in maters of operational security (encryption, surveillance-self-defense, network security, etc).
He had to enlist outside help to get a journalist to stop fucking around with operational security. This in turn is perhaps why Snowden is still free and alive to this day.
What's the best way to leak from the press? Suppose a whistleblower inside, say, the NYT, has internal evidence that demonstrates some kind of negligence or malfeasance in the important task of informing the public?
Who would be the right party to leak to, for one thing? Another press institution?
Also, has anything like this ever, like, actually happened? If so, when? If not, why not?
> Phone calls are better than files, generally speaking, and you should be calling from a burner; i.e. a pre-paid phone that is not in your name.
Wouldn't you still be identifiable based on voice biometrics? Or by the security camera video of whichever store you buy the burner phone from? And if meeting in person, you could be trivially shadowed.
It still looks to me like "Phone calls are better than files" is completely backwards. Files can be transferred over onion routing or other darknets, carry less identifiable information and can be digitally signed to establish identity as being the same source over multiple leaks.
Well OK, but the most useful thing about securedrop is that you can use it to leak documents that are already in electronic form. You can't really send files from a burner phone and having to actually meet someone to give them a USB drive is pointlessly inconvenient.
For actual communication that might identify you, sending a plain text file over something like securedrop is much safer than using a burner phone to call an endpoint that is pretty much for sure under heavy surveillance. If you don't know about metadata then you probably shouldn't do this until you are done with the required research.
> Phone calls are better than files, generally speaking, and you should be calling from a burner; i.e. a pre-paid phone that is not in your name.
Is that fairly easy to do? I heard in some countries it is hard to get a sim card without a proper ID. How easy is to get a burner phone in US without raising red flags?
The very fact that an organization like the Nieman Foundation can publish something like this article without first having the good sense of enabling required TLS on their website is frighteningly careless.
Anyone from governmental agencies who read this article at home or work can now fairly easily be targeted by the relevant surveillance agencies.
But why would they bother. The point of collecting data for surveillance is to provide signals that help sort the real threats from the noise. But the Nieman Foundation is such a well-known and widely-read blog that just reading an article there is not at all noteworthy, regardless of the subject.
Most government employees are not even in a position to access leakable data even they wanted to. Targeting them based on reading an article would be a waste of effort.
I'm confused, what would TLS do? The surveillance agencies can log an HTTPS URL as easily as an HTTP URL, they don't need to see the contents to see that you requested it.
Even the NYTimes has admitted the "omg gagged scientists!" line is standard operating procedure with new Administrations:
> “I’ve lived through many transitions, and I don’t think this is a story,” said a senior E.P.A. career official who spoke on the condition of anonymity because he was not authorized to speak to the news media on the matter. “I don’t think it’s fair to call it a gag order. This is standard practice. And the move with regard to the grants, when a new administration comes in, you run things by them before you update the website.”
But the administration has not earned the benefit of the doubt. The outrage is more directed at what Trump has promised to do (eliminate the EPA, or make drastic cuts, or halt its climate change activities), than what he has actually done so far. He has not earned the trust or respect for anyone to reasonably say "this is routine, I'm sure he won't do anything stupid".
You can't always stay silent until after something outrageous has happened. Some things are easier to prevent than to undo.
Trump and his people have openly spoken and acted against the media. Also, IIRC, the prior Republican administration blocked scientists from speaking openly and had politicos edit all communications, while the Obama administration allowed the scientists to communicate unfiltered. One speculative statement from an anonymous EPA official doesn't offset that.
> Even the NYTimes has admitted
I'm not sure what that means. The Times has reported all sides of the spectrum. The broke the Hillary Clinton email server story, for example, and also Trump's tax returns.
Did you read the Sunlight foundation post (link in the Nieman piece)? This isn't just about agencies talking to the media. Scientific publications were also restricted.
Sites shouldn't be putting secure drops in a subdomain. DNS and TLS SNI expose domain names in plain text, so 3-letter agencies watching backbone traffic will immediately notice when "securedrop.example.com" is accessed.
Vice and Intercept made a better choice using a path on a their regular domain:
(SecureDrop developer here). Obviously we agree, using a SecureDrop-specific subdomain makes traffic analysis trivial. Our deployment best practices [0] warn folks not to use subdomains.
Sadly, since SecureDrop is decentralized, we cannot enforce this, and some organizations apparently find it very difficult to provision a separate path ("example.com/securedrop" instead of "securedrop.example.com"). for their SecureDrop landing page.
So much more to opsec than using tor. I hope leakers are either ready to be unmasked, or have countermeasures against things like document fingerprinting.
This piece is so incredibly irresponsible. If someone uses this to leak truly important information, they should not be surprised to quickly receive knock on the door and a dark cell. There are many people in a position to leak things who are not involved in technology and may believe these steps as adequate for their protection.
Layers. It's all about layers. In this case, using Tails and Tor make it less likely, but not impossible, that the adversary will actually get their hands on the leaked document for analysis in the first place.
(In this case I would be more concerned about the SecureDrop application and the specific instances becoming too juicy a target for the counter-intel people. Once they decide to infiltrate something, they generally do after a while.)
yes, the steps detailed in the post are likely not enough to evade being caught if a large intel agency is looking for a leaker. it very probably will be enough to prevent detection before the materials are published, but not necessarily afterwards when authorities start looking for a leaker.
Are there software vendors selling systems that make it easy to fingerprint documents? Are there any proven known cases of some administration branches using fingerprinting routinely?
How long until someone on the Trump side starts sending spam to all of these addresses?
They can't block it, but good luck finding real signal in millions of requests.
Or, more subtly, deliberately leaking easily discredited stuff. Once it gets published, it becomes a propaganda target. As a great example, consider how Dan Rather was taken down by https://en.wikipedia.org/wiki/Killian_documents_controversy. Planting a perfect smoking gun was enough to bring down Dan Rather and make the story of how Bush got his draft deferment toxic in the media.
The ultimate irony there is that the story that Dan Rather reported was actually true. It had all been reported in The Guardian by Greg Palast, and Dan Rather had started with access to his research. It didn't matter, planting perfect fraudulent documents managed to discredit it.
I guess the guy was the only one on the network using tor, making him easy to identify.
So unless tor gets a huge userbase in DC, it seems like an encrypted url would be safer. (I don't know much about tor; am I wrong?) Everyone reads WaPo; no suspicion getting on that site.
But I think the main difficulty in becoming a leaker is that you have to hide your mental evolution as you decide to become a leaker. By expressing your dissatisfaction to your colleagues before you decide to leak, you make yourself a suspect post-leak. Leakers should be aware that traditional investigative mechanisms are very powerful, and even if the crypto is rock solid, it is still very likely they'll be caught. It's then a question of whether they are willing to 'take one for the team'.
The hard part isn't anonymously leaking the information. (You could do this with a $0.15 envelope and a stamp. Just remember not to put in your address as the return address and to wear gloves).
The hard part when you leak is that you are now in a set of people that knew the information. That usually boils things down to a handful or even one suspect. With US federal agents where in fact it is illegal to lie to them, they will have you in their office by lunch.
In this case, get a lawyer and don't answer any questions without them. Also, if you do leak a hard copy, print it at a public place and use a B&W printer. Color printers are relatively easily traced.
> Leakers shouldn’t use their work computers and should use public wifi, “like a Starbucks or at a hotel or anywhere where the Internet is open for public use.”
Lately there seem to be very few completely open wifi points. Most of them at least require some click through for agreeing to terms. Is there any risk involved here?
They likely receive a lot of leaked news items a year.
However, the vast majority are either:
1. Completely fake, because someone on 4chan/Reddit/an internet forum/social media wanted to see how many journalists they could prank with false information.
2. Uninteresting or pointless to write about, since they don't describe newsworthy stories.
So the amount of actual, legitimate leaked news stories they receive a year is likely a lot less than the amount of stories they receive through these systems in total.
probably a lot but few are headline grabbers, afaik the biggest leak of last year was the Panama Papers and the guy didn't really use these Secure Drop links because he had like several TBs of information
>"Leakers shouldn’t use their work computers and should use public wifi, “like a Starbucks or at a hotel or anywhere where the Internet is open for public use.”"
Hotels can normally link a computer on their network to a room number... Suggesting they use a hotel wifi isn't a good idea IMO (unless you are not actually a guest, and its just an open public wifi network).
If youre one of the vast minority of internet users happening to be using Tor this stands out like a sore thumb from any party monitoring network activity. Not to mention many of the direct nodes are possible to be your would-be adversary. I hope users of this approach understand the risks involved.
Tor seems deceivingly plug-and-play to the less technical crowd
A few of these articles are suggesting that uploads be performed from public places (e.g., Starbucks) for the sake of anonymity/deniability. But it would seem that performing these actions in public would potentially reveal your identity, actions, and secret codename to any eyes or cameras around. As a question of general curiosity about anonymity, how does one weigh the benefits of using an open internet access point with the more literal visibility that using a public access point might entail?
The Panama Papers were 11.5 million documents that were leaked all at once -- If a piece of paper is .1mm thick, that stack would be 1.15km tall. If a single piece of copy paper weighs 5 grams, double-sided printing 11.5 million documents would produce a stack that weighs almost 30 metric tons.
Point taken though, one of the bigger stories of the campaign was the billion dollar loss that Trump claimed on his taxes in the mid-1990s. That came to WaPo and NYtimes via USPS and just landed in their mailboxes.
Is using a PDF a good idea? I imagine that it'll contain loads of interesting metadata which might be related back to your computer at some later date.
Most formats are bad for this honestly. Most of the MS Office formats have lots of metadata.
Printing them to PDFs might actually do a decent job to strip that data. You might have to make sure your PDF printer doesn't add additional metadata though.
Of course, proving authenticity in such a case is a necessity too, no journalist wants to be responsible for publishing fake leaks.
I know there are companies embed digital fingerprints in all assets on their intranet. Basically the web server serves files with different fingerprints for each employee. These fingerprints can survive even resizing/processing/re-encoding. Company then will be able to track down the person who leaked it by simply looking at the leaked file.
I think it would be interesting for a member of Congress (or their staff) to operate a SecureDrop instance. Such a system might be a useful supplement to other forms of communication between federal officers and Congress (e.g. fax, interoffice, in person). Combined with 5 USC 7211, it might also have strong legal protection (IANAL).
I'm curious: Is any effort made in SecureDrop to detect or scrub identifiable headers or metadata from files? I understand the trust issue is generally with the source, but I could see an identity being leaked via a blob of metadata with a name in it.
How does site authentication work in Onion world? With those unrecognizable URLs, it seems like it'd be easy to set up a phishing site that leaks the whistleblower's identity.
[+] [-] vonnik|9 years ago|reply
Phone calls are better than files, generally speaking, and you should be calling from a burner; i.e. a pre-paid phone that is not in your name. You shouldn't even give your real name to the reporter on first contact. Reporters take notes and some of them have to share their sourcing with editors. So be really clear with them how they will treat your real identity, if you choose to share it.
Face to face meetings are sometimes better than phone calls. You should assume, when you're handling highly sensitive information, that the reporter's devices may eventually be hacked, bugged or subpoena'd, so make sure that an electronic trail does not lead back to you.
You should carefully choose the journalists you leak to. The best choice will have to be well sourced. That's because the information you leak to them, in most cases, will have to be confirmed. That is, they will have to call other insiders they know and ask "Is X true?" If they don't have other sources, the information you provide will probably not make it to the public.
Reporters also get contacted by a lot of nut jobs, so early on, do what you must to establish credibility. Trust has to be established both ways.
[+] [-] olivierlacan|9 years ago|reply
Face to face meetings sounds preposterous for someone who would risk prosecution under the espionage act for instance. I know that's a rare scenario, but in more common cases there are still clear inherent risks in meeting face to face with a journalist. And that's not even considering the potential time and costs involved in reaching a journalist with national/international reach.
Regarding nut jobs, that clearly sounds difficult to parse. But at the risk of sounding like I'm hounding on you, there seems to be a misunderstanding on the part of journalists of the kinds of risks sources are putting themselves into.
Worse yet, an underestimation of how much journalists – through their expectations and treatment of source data — passively and routinely put their own sources at risk by being illiterate in maters of operational security (encryption, surveillance-self-defense, network security, etc).
Just read the account of how difficult it was for Edward Snowden to reach out to Glenn Greenwald for a perfect demonstration of these issues: https://theintercept.com/2014/10/28/smuggling-snowden-secret...
He had to enlist outside help to get a journalist to stop fucking around with operational security. This in turn is perhaps why Snowden is still free and alive to this day.
[+] [-] throwerang|9 years ago|reply
What's the best way to leak from the press? Suppose a whistleblower inside, say, the NYT, has internal evidence that demonstrates some kind of negligence or malfeasance in the important task of informing the public?
Who would be the right party to leak to, for one thing? Another press institution?
Also, has anything like this ever, like, actually happened? If so, when? If not, why not?
[+] [-] lazaroclapp|9 years ago|reply
Wouldn't you still be identifiable based on voice biometrics? Or by the security camera video of whichever store you buy the burner phone from? And if meeting in person, you could be trivially shadowed.
It still looks to me like "Phone calls are better than files" is completely backwards. Files can be transferred over onion routing or other darknets, carry less identifiable information and can be digitally signed to establish identity as being the same source over multiple leaks.
[+] [-] upofadown|9 years ago|reply
For actual communication that might identify you, sending a plain text file over something like securedrop is much safer than using a burner phone to call an endpoint that is pretty much for sure under heavy surveillance. If you don't know about metadata then you probably shouldn't do this until you are done with the required research.
[+] [-] rdtsc|9 years ago|reply
Is that fairly easy to do? I heard in some countries it is hard to get a sim card without a proper ID. How easy is to get a burner phone in US without raising red flags?
[+] [-] olivierlacan|9 years ago|reply
Anyone from governmental agencies who read this article at home or work can now fairly easily be targeted by the relevant surveillance agencies.
[+] [-] bweitzman|9 years ago|reply
[+] [-] snowwrestler|9 years ago|reply
Most government employees are not even in a position to access leakable data even they wanted to. Targeting them based on reading an article would be a waste of effort.
[+] [-] Spooky23|9 years ago|reply
It's less common for companies to have content inspection.
[+] [-] exhilaration|9 years ago|reply
[+] [-] caseysoftware|9 years ago|reply
> “I’ve lived through many transitions, and I don’t think this is a story,” said a senior E.P.A. career official who spoke on the condition of anonymity because he was not authorized to speak to the news media on the matter. “I don’t think it’s fair to call it a gag order. This is standard practice. And the move with regard to the grants, when a new administration comes in, you run things by them before you update the website.”
https://www.nytimes.com/2017/01/25/us/politics/some-agencies...
Try to save some of your outrage for actual outrageous events.
[+] [-] burkaman|9 years ago|reply
You can't always stay silent until after something outrageous has happened. Some things are easier to prevent than to undo.
[+] [-] hackuser|9 years ago|reply
> Even the NYTimes has admitted
I'm not sure what that means. The Times has reported all sides of the spectrum. The broke the Hillary Clinton email server story, for example, and also Trump's tax returns.
[+] [-] sigmar|9 years ago|reply
[+] [-] eplanit|9 years ago|reply
[+] [-] j2kun|9 years ago|reply
[+] [-] pornel|9 years ago|reply
Vice and Intercept made a better choice using a path on a their regular domain:
https://theintercept.com/securedrop/ https://news.vice.com/securedrop/
[+] [-] garrettr_|9 years ago|reply
Sadly, since SecureDrop is decentralized, we cannot enforce this, and some organizations apparently find it very difficult to provision a separate path ("example.com/securedrop" instead of "securedrop.example.com"). for their SecureDrop landing page.
[0]: https://docs.securedrop.org/en/stable/deployment_practices.h...
[+] [-] stuckagain|9 years ago|reply
[+] [-] alva|9 years ago|reply
[+] [-] verytrivial|9 years ago|reply
(In this case I would be more concerned about the SecureDrop application and the specific instances becoming too juicy a target for the counter-intel people. Once they decide to infiltrate something, they generally do after a while.)
[+] [-] aqme28|9 years ago|reply
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] Bamberg|9 years ago|reply
[+] [-] quickConclusion|9 years ago|reply
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] btilly|9 years ago|reply
They can't block it, but good luck finding real signal in millions of requests.
Or, more subtly, deliberately leaking easily discredited stuff. Once it gets published, it becomes a propaganda target. As a great example, consider how Dan Rather was taken down by https://en.wikipedia.org/wiki/Killian_documents_controversy. Planting a perfect smoking gun was enough to bring down Dan Rather and make the story of how Bush got his draft deferment toxic in the media.
The ultimate irony there is that the story that Dan Rather reported was actually true. It had all been reported in The Guardian by Greg Palast, and Dan Rather had started with access to his research. It didn't matter, planting perfect fraudulent documents managed to discredit it.
[+] [-] nthompson|9 years ago|reply
https://www.schneier.com/blog/archives/2013/12/tor_user_iden...
I guess the guy was the only one on the network using tor, making him easy to identify.
So unless tor gets a huge userbase in DC, it seems like an encrypted url would be safer. (I don't know much about tor; am I wrong?) Everyone reads WaPo; no suspicion getting on that site.
But I think the main difficulty in becoming a leaker is that you have to hide your mental evolution as you decide to become a leaker. By expressing your dissatisfaction to your colleagues before you decide to leak, you make yourself a suspect post-leak. Leakers should be aware that traditional investigative mechanisms are very powerful, and even if the crypto is rock solid, it is still very likely they'll be caught. It's then a question of whether they are willing to 'take one for the team'.
[+] [-] ransom1538|9 years ago|reply
The hard part when you leak is that you are now in a set of people that knew the information. That usually boils things down to a handful or even one suspect. With US federal agents where in fact it is illegal to lie to them, they will have you in their office by lunch.
[+] [-] pogo|9 years ago|reply
[+] [-] swimfar|9 years ago|reply
[+] [-] brotherjerky|9 years ago|reply
Lately there seem to be very few completely open wifi points. Most of them at least require some click through for agreeing to terms. Is there any risk involved here?
[+] [-] mdrzn|9 years ago|reply
[+] [-] CM30|9 years ago|reply
However, the vast majority are either:
1. Completely fake, because someone on 4chan/Reddit/an internet forum/social media wanted to see how many journalists they could prank with false information.
2. Uninteresting or pointless to write about, since they don't describe newsworthy stories.
So the amount of actual, legitimate leaked news stories they receive a year is likely a lot less than the amount of stories they receive through these systems in total.
[+] [-] jeron|9 years ago|reply
[+] [-] rc_bhg|9 years ago|reply
[+] [-] komali2|9 years ago|reply
[+] [-] brak1|9 years ago|reply
Hotels can normally link a computer on their network to a room number... Suggesting they use a hotel wifi isn't a good idea IMO (unless you are not actually a guest, and its just an open public wifi network).
[+] [-] pweissbrod|9 years ago|reply
[+] [-] georgefox|9 years ago|reply
[+] [-] iamatworknow|9 years ago|reply
[+] [-] mikeyouse|9 years ago|reply
Point taken though, one of the bigger stories of the campaign was the billion dollar loss that Trump claimed on his taxes in the mid-1990s. That came to WaPo and NYtimes via USPS and just landed in their mailboxes.
[+] [-] rwmj|9 years ago|reply
[+] [-] mirimir|9 years ago|reply
[+] [-] problems|9 years ago|reply
Printing them to PDFs might actually do a decent job to strip that data. You might have to make sure your PDF printer doesn't add additional metadata though.
Of course, proving authenticity in such a case is a necessity too, no journalist wants to be responsible for publishing fake leaks.
[+] [-] finalpatch|9 years ago|reply
[+] [-] josnyder|9 years ago|reply
[+] [-] timdorr|9 years ago|reply
[+] [-] pimlottc|9 years ago|reply