There's no way to know if you're really Kevin Poulsen. Your account was created an hour ago. It could be someone trolling. If you want to prove this is you, you could link your comment from a tweet.
I've read more about your involvement in the Lamo-Manning conversation, and I've changed my mind. Lamo turned in Manning. But you knew Lamo was planning to deceive Manning to make him confess more leaks in a second chat:
He could sign his comment with KP's GPG key. That would be proof. Somehow I feel the real KP would have been savvy enough to do that in the first place.
He's a whistleblower of historic importance. That Verizon FISA order alone has exposed deception at the highest levels of government. Proof that an Ars Technica reader can amount to something.
> Proof that an Ars Technica reader can amount to something.
Cute. I'm sure he read Dilbert a few times too.
It takes quite an astonishing level of arrogance to suggest that being an "Ars Technica reader" was an important part of his identity, as that article did. Internet nerd makes a few comments on tech website, huge shock there.
Anybody with any sense knows you're a plant, not a hacker, and your hacking charges were laid there by the US Attorney to give you cover to turn on real hackers. Wired has been part of the compromised media from the day they published anything written by you.
Lamo's role in the Manning case drew the ire of Glenn Greenwald, of Salon Magazine. An ardent supporter of WikiLeaks, Greenwald has been a passionate critic of Lamo, suggesting that Lamo lied to Manning by turning him in, and also lied after the fact to cover up the circumstances of Manning's confessions. Greenwald places the incident in the context of what he calls "the Obama administration's unprecedented war on whistle-blowers". Greenwald's critique of Wired Magazine has drawn a response from that magazine which suggests that Greenwald is writing disingenuously: "At his most reasonable, Greenwald impugns our motives, attacks the character of our staff and carefully selects his facts and sources to misrepresent the truth and generate outrage in his readership." In an article about the Bradley Manning case, Greenwald mentions Wired reporter Kevin Poulsen's 1994 felony conviction for computer hacking, suggesting that "over the years, Poulsen has served more or less as Lamo's personal media voice."
Greenwald is skeptical of an earlier story written by Poulsen about Lamo's institutionalization on psychiatric grounds, writing: "Lamo claimed he was diagnosed with Asperger's Syndrome, a somewhat fashionable autism diagnosis which many stars in the computer world have also claimed." In his response, Poulsen accused Greenwald of "name-calling, bizarre conspiracy theories and ad hominem attacks".
> Greenwald has been a passionate critic of Lamo, suggesting that Lamo lied to Manning by turning him in, and also lied after the fact to cover up the circumstances of Manning's confessions.
Not sure about the second part, but the fact that Lamo lied to Manning isn't controversial. He's talked about it in a few interviews.
yeah. I am a modest fan of Greenwald, but if Manning didn't want to get caught, talking to Lamo was a pretty dumb move. I mean Lamo got caught and is under (periodic, at least, probably) monitoring by the FBI. Minor disclaimer that I went to Kindergarten with Adrian Lamo.
It's reasonable to not trust Lamo, and maybe even Kevin Poulsen (although IMO he's just reported the news in the PFC Manning case; it's Adrian who turned PFC Manning in. OTOH, if I'd been in Lamo's position (convicted felon!), I probably would have turned him in, too, thinking the whole thing was a sting or otherwise a setup since it was so fucking brazen. The only other safe option is "I HAVE NO IDEA WHAT YOU ARE SAYING, NEITHER AGREE NOR UNDERSTAND, AND DON'T EVER CONTACT ME AGAIN.").
However, I'd trust Declan McCullagh more than any other journalist I know. He also writes for Wired. He's not uncritical of the PRISM story, but I'd trust him to be fair, and he wouldn't himself become part of the story.
liberationtech seems good; p2p-hackers was ok for a while. the old cryptography list was ok in a couple of the incarnations. cypherpunks before the great decline is still my gold standard, though. (remops has been ok at times; some of the digital gold lists were also interesting).
The p2p-hackers channel was also interesting around the same time. The fact that you have to differentiate between the "old cryptography list" and its newer incarnations is sad. I think with each move the list went down hill. It seems half the posts to cryptography are either cc'ed to cpunks and a bunch of other lists or the message is a conference announcement.
When I get bored/nostalgic I will search gmane for one of the prolific mailing list subscribers like Eugen Leitl or that Vladis dude from VT. I found liberationtech via Eugene.
Snowden isn't "in hiding" from intelligence agencies, only from the news media. I assess with virtually nil probability that US and Chinese/HK intelligence don't know where he is right now (the only way one intelligence service wouldn't know details is if the other has already taken him into protection or custody).
He doesn't need to use anonymity systems now; he just needs to use a service which doesn't report IP address to the other end. A simple VPN or whatever would be fine.
If I were seriously on the run, I'd be using a system with days of latency (variable over 1-5 days), which blended in with a widespread current system. Essentially Len Sassaman's old mixmaster remailer system, which interfaces with the world over SMTP. The problem is there aren't enough mixmaster nodes to be really enough now, so you'd want to use a fairly anonymous sender too, and the old "USENET message pool" style systems don't work now that "USENET" basically means "http access to one of a few big providers", too.
Kind of a step back from where we were in 1999, which is bullshit :(
Another anonymous form of communication he could use that would he an lot simpler and hard to track would be old fashioned mail. No need to use a sledgehammer and all that.
Bitmessage has deniability, but if the receiver end is compromised or untrustworthy, then the deniability is gone, and the timing attack might be possible.
Combining Bitmessage and I2P would be solution, I think, but I don't know of any Bitmessage nodes on I2P.
Not really. From the I2P FAQ: Without protocol scrubbing or higher latency, global active adversaries can gain substantial information. As such, people concerned with these attacks could increase the latency (using nontrivial delays or batching strategies), include protocol scrubbing, or other advanced tunnel routing techniques, but these are unimplemented in I2P
Bitmessage is only plausibly deniable, meaning a traffic analysis is likely to narrow down the list of senders to a few, which is good enough in a manhunt.
When using Bitmessage, everybody receives all the messages in the blockchain. How is the timing attack going to identify him?
Maybe Bitmessage helps receiving messages anonymously, but the timing attack might still be possible when sending messages. I2P can mitigate the problem, but I don't think Bitmessage has any nodes in I2P.
I would say that, if you don't trust Poulsen, don't talk to him.
For me, I just have always assumed that electronic communications are easier to compromise than old traditional ones. In the end, you connect to an ISP and packets can be inspected. OK, you might have encryption, but there have been too many schemes cracked or broken. So, why ever think that electronic comms can ever be secure? In the extreme, if the spooks get your encrypted data and they really believe that the data contains the "ticking bomb", they'll just torture you until you give up the key. So, you're still stuffed. Why give them even that much?
More over, the one big issue I have to electronic communications, is that it is very hard to know if you are under surveillance. The old methods give you a better chance to discover that you are being watched. It is also easier to hide the fact that you are communicating at all.
The clincher for me was that a while ago an "amusing" story appeared in a British news paper. Essentially it "exposed" MI6 spies in Moscow using actual drop boxes to pass along information. Now, if MI6 are still using pre-WWII methods, that has to tell you something, right? They don't trust the electronic methods.
So, if secure communications really mattered to me, life or death type mattered, then I'd be looking at things like one time pads, drop boxes, people, etc. Of course a lot of it depends on what you are trying to communicate, how many people are involved, and frankly how much money you have to use.
One thing I do know, electronics would be something I would work very hard to avoid.
Lastly, if I were going to whistle blow to a journalist on this scale, the first thing I would establish would be several methods of communication. Times, places, codes, etc. I suspect that, given the nature of this exposure, that will have been done, and none of it will be electronic.
But remember my bit about knowing if you are being watched. Electronic, I have no idea, unless, IIRC, we get quantum about it. Old skool, chances are better. I, or a friend can observe my drop box or exchange, and so on.
Im not saying there are no good electronic methods, I am saying that ultimately I'd be more comfortable not using them. Remember too, I am talking ultimate paranoia, life and death.
In the end of course the weakest link of all is the humans operating any system. I mean, the whole PRISM thing was blown by a human.
The other thing in my mind is that these days spooks expect and are geared up for electronic comms, not so human comms. Budgets slashed, less "watchers", and men on the ground. Going olde skool is a sort of curved ball.
Also, I know paper. I can verify hiding places. I can watch people move. I am not good enough to review, completely and confidently, code and encryption software. I would have to trust programmers I dont know, in a climate where we believe the likes of GCHQ, NSA, etc have back doors and cracks. We are given to understand that these people are all over electronic comms. As far as I know, they have not penetrated writing paper and hiding holes. They are not invisible either. Maybe you and others are good enough to verify all the software, encryption and networking software and hardware sufficiently enough to trust your life to it. I know I'm not.
In short, if my life is on the line, I would go with what I know best. I know paper better than deeply complex mathematics and programming.
Besides, given the revelations, why even bother to risk it? Even before all this, I would laugh my nuts off at terrorists who were caught and convicted using electronic evidence. I thought them idiots for even touching a computer to arrange terrorism. I assume that now, they wont be so stupid. It was nice and easy for the authorities to plunder their computers and and electronic trail. Now their job just got harder.
You could always rent a botnet for an hour and broadcast PGP messages to all nodes. I'm sure there'd be hacker forums in China where you could rent a mostly HK-based net.
That might be another reason that TOR isn't safe. You don't ever know who any of the other servers belong to ... and the staff at the Exit Node can (and has) read anything. I wouldn't bet my life on software 'originally sponsored by the U.S. Naval Research Laboratory'.
So that they could conduct cyberwarfare ops and maintain deniability. Math is math. All of the cards are on the table, the code is entirely open. The protocol is designed in such a way that any of the in-transit nodes know fuckall about the messages source, destination, or content. There is no "the" exit node, anyone can operate one. Not to mention that there is nothing stopping you from encrypting the data going into the network in the first place. And If you think for a second that the military has some magical insight into information-theory that allowed them to hide a backdoor in a god damn protocol spec, then shit, they can probably factor large primes too, in which case modern crypto is broken.
The State Department has had a strong interest in enabling communications particularly from dissidents in various countries (China, Arabian states, possibly others). I'm aware of some projects they've backed or considered. I'm also aware that State is frequently a cover for intelligence operations. And that there's been a fair bit of cooperation between various intelligence organizations and Free Software projects (Salon's got a long piece on Hadoop up at the moment).
It has more to do with the structure of the public internet. A fully passive observer in a few key locations has a surprisingly high probability of being able to perform correlation attacks.
This is a pretty interesting "where do I start?" paper if you want to know more but don't have much background on the subject:
I think he will keep things to sporadic in-person interviews and frequent changes of where he stays. But I don't think he will stay hidden. I bet as soon as an indictment is handed down, he will turn himself in to the Hong Kong authorities and start fighting extradition.
I am not sure about Bitmessage. It is a very new project and has not been subject to any deep security test. Also, VPNs are as safe as long as the VPN provider is on your side. Tor is your best option.
If Edward Snowden does have a pgp key (I can't find one online), it hasn't been revealed in this message. It looks like the signing and encryption keys are the same:
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
gpg: armor header: Comment: GPGTools - http://gpgtools.org
:pubkey enc packet: version 3, algo 1, keyid 5B50940B79DEBE35
data: [4096 bits]
gpg: public key is 79DEBE35
:encrypted data packet:
length: unknown
mdc_method: 2
gpg: encrypted with RSA key, ID 79DEBE35
gpg: decryption failed: secret key not available
Of course, they could have used --hidden-encrypt-to, but I think it's more likely a publicity stunt.
Oh, and if you do find a key claiming to be for Edward Snowden online, verify that it's actually him, ideally through the web of trust, and that it isn't just a key that was created after the news was leaked. I'd be wary of any keys on keyservers claiming to be him that have been uploaded after he went public with this.
If --hidden-encrypt-to is used, there still will be signs of that. Specifically, the message addressed to 0x0000000 and the recipient will basically brute force it uses every key he/she has.
Having said, that, according to PGP Dump
Old: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x5B50940B79DEBE35
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4096 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) +
PKCS-1 block type 02
New: Symmetrically Encrypted and MDC Packet(tag 18)(4096
bytes) partial start
Ver 1
Encrypted data [sym alg is specified in pub-key
encrypted session key]
(plain text + MDC SHA1(20 bytes))
New: (1024 bytes) partial continue
New: (18 bytes) partial end
It looks like we can merely see that the message is destined to 0x5B50940B79DEBE35. We won't be able to tell who's signer until it is decrypted.
Every now and then I start thinking that Poulsen is starting to get the hang of honest journalism and some amount of professionalism, and then something like this comes along that makes it obvious he's still the same pathological attention whore whose primary hacking talents amounted to getting caught a lot.
Meanwhile, per the Washington Post article, he asked the guardian to setup PGP in Feb, and his contact finally did so in March, both before this key's listed creation date.
"A public and private key each have a specific role when encrypting and decrypting documents. A public key may be thought of as an open safe. When a correspondent encrypts a document using a public key, that document is put in the safe, the safe shut, and the combination lock spun several times. The corresponding private key is the combination that can reopen the safe and retrieve the document. In other words, only the person who holds the private key can recover a document encrypted using the associated public key."
In a world where the US government is scanning all your electronic communications, and (we'll next discover) searching your OS X- and Windows-based computers at will, how do you, as a practical matter, keep your private key "private"?
If you want a realistic chance of not losing control of your private key the only real answers are hardware based - using a tamper resistant smart card, hardware security module, tpm or similar systems in which the signing is done inside the chip that contains your signing keys and no general purpose device ever sees the key at all.
Most people using software only solutions won't ever have their keys stolen, but that's because nobody tried to steal them. The compromise of a client os is inevitable if targeted by a competent actor, given enough time.
Smartcards and HSM's may not be infallible, but their rate of compromise appears to be negligable at best and an extremely rare capability for an offensive team to have access to.
Smartcards are surprisingly cheap and easy to work with, and due to their simplicity and long history are quite secure. The only real attack on them involves physical access and causes obvious physical damage that'd be impossible to miss.
this would probably be the place to start, at least to figure out which type of card you'd want. The main choices are a) support pgp and ssh b) support x.509 certificate based signing c) support time or use type tokens (like smartphone 2 factor apps) or d) some non standardized system running custom code on a tiny jvm inside the card.
a) would be what you'd want in the context of this conversation, but b) is much more supported and has a wider set of use cases.
In most cases it amounts to making sure you buy the right card & reader, plugging it in, and compiling the opensc and related packages
OS X has smart card support for FileVault 1 but not FileVault 2. It only includes enough drivers to support US DoD CAC cards, and other NATO countries that have standardized on our stuff.
I may be on the edge but a "Trusted Platform Module" doesnt automatically let me conclude that indeed the hardware module is to be trusted.
It seems quite unlikely the masses would have access to a trusted platform of any kind, especially considering that any secure platforms for communication that have existed, like Skype, have been opened up. Even good old GSM (AS/1 was it called?) voice-talk encryption was designed with a backdoor in mind at the urging of NATO.
When I wrote that I definitely debated whether to include tpm in the list because of concerns along those lines. But in the end it's a widely deployed example of that type of technology which makes it a good example. It definitely wouldn't be my first choice in any case just due to the complexity of it - there is > 10k loc inside your typical tpm as i understand it. One thing to keep in mind though is that tpm is a spec/standard that's been implemented by several different vendors. They're the ones that write the code that goes inside as it was considered an implementation detail in the spec. So that means you can buy a german tpm (infineon) or a french tpm (stm) or a us tpm (intel, atmel?) and so on including taiwan and china. So you can sort of pick your poison, presumably they aren't exactly sharing their backdoors with each other at least not france+us+china.
Even assuming it's a compromised platform it's still a hell of a lot more likely to keep your key material safe as compared to having it sit on disk or in addressable address space. One presumes backdoors like that are used sparingly as they become considerably less valuable once publicly exposed.
Only use your private key with Tinfoil Hat Linux on an offline air-gapped computer: http://tinfoilhat.shmoo.com/
I recommend disconnecting your monitor and only receiving output by having it blinked out at you through your capslock light on your keyboard. Bonus points if you can get your hands on some TEMPEST hardened hardware, and/or tamper-resistant hardware.
Anything less will leave you vulnerable to the black helicopters!
Note: I'm joking obviously, but this is something to take seriously.
The light reflected off your eyes from the capslock key is readable from high-res cameras. It's better to have leads hooked up to one of your toes and to toggle a 24V source so you can interpret the pulses in morse code.
Edit: obviously the 24V must come from a battery which is charged only at specific intervals -- otherwise they can interpret your messages by watching mains voltage variation.
Those leads are gonna generate magnetic distortions. You should only do this with your feet next to a giant 18" subwoofer while blasting dubstep in order to mask any electromagnetic fluctuations.
Bonus: Anyone surveilling you via audio bugs will need new ears.
I know this is all in good fun, but you all are uncomfortably close to describing things that will soon get added to the practical threat landscape.
As long as you have a flexible hardware platform that lets you crank up some of the voltage regulator outputs, gpios that can be attached to a long trace/external wire as a makeshift antenna and have a decently fast cpu clock you have all the ingredients for a crude but usable software defined radio. maybe not super fast if you can't repurpose a hardware phy or radio interface, but more than enough bandwidth to exfil a secret key or 10 for maybe a couple dozen meters.
Tools to do sdr utilizing only general purpose processors and no radio specific gear are already available here and there as research implementations, and code that uses gpus/audio dacs/ and re-purposed phys to make a radio interface with a different spec or broadcast frequency is already in production use (wifi phy using a dvb radio interface -> tv whitespace communicator).
Using an approach like that to exfil or bridge an air gap is just too tempting for it to not happen. Honestly, I'd be willing to bet there's already an example of that somewhere out there in the wild today.
Paranoid thinking is an extremely valuable asset for security researchers. The things we're all joking about are impractical for an average person, but in a spy vs. spy scenario, especially when each side is well funded, these are the kind of things that will actually get used.
Examples of genuine vulnerabilities that would make you look paranoid just by defending against:
* Make educated guesses about passwords from a microphone recording of the keypresses. Both the intervals between keypresses indicate the region of the keyboard being touched, and the sound of each key differs slightly. Given a statistically significant sample of typing, you could deduce which keys are which based on the frequency of their use. http://www.securityfocus.com/news/11318
Well, if you can do that (program a computer via a blinking keyboard LED in Morse code to avoid Van Eck phreaking,) you're well on your way to discovering the lost Nazi gold in the Philippines.
Keep it public, but use a very good passphrase. That's not impossible to do.
I'm not a crypto type but I believe what you want is a password-based key derivation function such as scrypt, the output of which you can then use as the symmetric key to encrypt/decrypt the private key. (This might even be what GPG/SSH does for you; I'm not at all sure)
What more is there to glean from this bogus message?
$ gpg -vvv -d letter-to-snowden.txt
gpg: using character set `utf-8'
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/documentation/faqs.html for more information
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
gpg: armor header: Comment: GPGTools - http://gpgtools.org
:pubkey enc packet: version 3, algo 1, keyid 5B50940B79DEBE35
data: [4096 bits]
gpg: public key is 79DEBE35
:encrypted data packet:
length: unknown
mdc_method: 2
gpg: encrypted with RSA key, ID 79DEBE35
gpg: decryption failed: secret key not available
There's a 'secret' URL in there that anyone able to decrypt the message will be compelled to click on, at which time the creator can claim either to have contacted Snowden, or to have empirical evidence that the NSA can crack 4096-key RSA PGP messages and none of us are safe.
There are a few things about this that seem odd to me. From elsewhere in the comments, the key is encrypted with 79DEBE35, which, if you look it up on your keyserver of choice, belongs to "Verax (Informed Democracy Front)", created on May 20, 2013.
Verax was the name used by Snowden to communicate with Laura Poitras (and perhaps others as well), but the story didn't break until June 5 and his identity wasn't revealed until days later.
So why is Wired encrypting a message with a key using that name that was generated before the name was publicly known in association with Snowden?
EDIT: Disregard the above—the "encrypted with" key is the recipient's key, not the sender/signer. 79DEBE35 may well be Snowden's key (but that's not proven either).
Verax is the recipient, not the sender. Messages are encrypted using the recipient's public key. You can confirm this yourself by encrypting a message to someone else and checking to see what which key it shows under "encrypted with".
So at a guess basically they've encrypted a message that is not Snowden's key that somehow calls back when decrypted (link, exe or something) so they know if the NSA is listening in.
My guess is that this message is Wired asking Snowden for a chat so that they can get some kind of exclusive story. However, as others have pointed out, Wired magazine doesn't exactly have a good reputation when it comes to defending whistle blowers.
Is this just another way to locate him as if it's really serious, only his private key can be used to decrypt it, and his former employer have the public key they use to exchange crypted messages before. In this case it's really stupid
Lets say I wanted to send an encrypted message to Poulsen. (I do NOT, just figuring out the tech) How would I find his public key? Ask him for it? Is there, like, a directory?
The reason you would advertise a page like this is to get lots of people to visit it. It gives Snowden the ability to look like any of the other (tens?) of thousands of people who visit the URL in the next little while.
Also, there's no other way to get the message to Snowden unless you give it publicity. If he browses the Internet for news, he will find there's a message from Wired for him.
79DEBE35 is a key in the possession of Wired, I'm sure they'll enjoy passing your message on the the NSA via their parent media giant.
Edit: Also, it's not very hard to generate a different key with signature 79DEBE35, and put it on the key servers. gpg's displaying of such short abbreviations for keys is one the worst parts of its UI.
> Edit: Also, it's not very hard to generate a different key with signature 79DEBE35, and put it on the key servers. gpg's displaying of such short abbreviations for keys is one the worst parts of its UI.
I find all this public key and private key concept is confusing to general people. A private key is an actual key that you can use to unlock an encrypted message. A public key is actually a lock that you gave someone so that he can use to encrypt message and only you can open it.
yeah, I was wondering about how strong GPG was. Back in the day, i.e. the 90's, the assumption was it would take years for then-current NSA supercomputers to factor the keys. Nowadays, with all sorts of new attacks, analyses, and cheap as hell compute time, I would wager that time requirement has gone significantly down.
AFAIK, the current publicly-known record for breaking RSA keys is the factorization of RSA-768 in 2010: http://eprint.iacr.org/2010/006.pdf That paper says it took about 1500 CPU-years to break a 768-bit key, and that the difficulty increases 1000x for each additional 256 bits of key length.
For a back-of-the-envelope cost estimate, I'm going to assume that there have been no major theoretical breakthroughs in the last couple of years, and that the machines they used were roughly equivalent to an EC2 "medium" instance. That puts the cost of breaking a 768-bit key, using spot instances for cost-efficiency, at about US$200k.
That sounds small, but encryption/decryption are still reasonably efficient with larger keys, while factorization becomes vastly harder. Breaking a 2048-bit key would take something like 200 quadrillion dollars worth of CPU time. A 4096-bit key, like the one used for this message, would be vastly more secure than that.
At the moment, the NSA still permits use of 2048-bit RSA for classified information up to SECRET. It would be highly questionable for them to do so if they knew of easily exploitable weaknesses, as they're taking the chance that other governments won't find them.
Remember, the NSA's mandate is twofold: They are a signals intelligence agency, but they are also charged with protecting government communications, much of which occur with commercially-available cryptography.
RSA does make people nervous for some valid reasons, and that's why there's a gradual transition to ECC underway, but there's little reason to expect a practical attack on RSA at 2048+ bits in the near term.
Absent an operational error on the part of Wired or Snowden, I seriously doubt the NSA will be decrypting that message in Snowden's lifetime, and almost certainly not before changes in the political climate.
Uh, the existence of a buffer overflow (which doesn't even cause disclosure of an encrypted message) has nothing to do with the strength of the RSA algorithm, which is what the comment I replied to was talking about.
I remember 768 bit asymetric keys in the mid 90's, and the paranoid had perhaps a 1024 bit key (I'm not very paranoid, and I got a 2048 bit key before 2000). A 768 bit RSA key was factored in 2009; the NSA could probably do it earlier. The default now is 2048 bits, and the key used by Wired is 4096 bits.
That's a lot of doublings of the difficulty to brute force a key. 2^3328 increase in difficulty.
RSA factoring does not increase with keysize increases like you might expect. Factoring, while still very hard, is much better than brute-force and continues to see improvements.
Hm, unfortunate that those who know what it is will recognize it and not think that and the rest will be confused and close the tab and move on. And the comments (on the Wired article) aren't remotely helpful.
EDIT: Also, a pretty safe way to carry an interview would be VPN + Tor + Bitmessage.
EDIT2: Users sneak and tlb claim Tor isn't safe because of timing attacks. Read below.