
How to leak to the press - anjalik
http://www.niemanlab.org/2017/01/how-easy-is-it-to-securely-leak-information-to-some-of-americas-top-news-organizations-this-easy/
======
vonnik
[Former reporter here] I have worked with confidential sources, and there are
a number of things you can do, as a whistle blower, to protect yourself.

Phone calls are better than files, generally speaking, and you should be
calling from a burner; i.e. a pre-paid phone that is not in your name. You
shouldn't even give your real name to the reporter on first contact. Reporters
take notes and some of them have to share their sourcing with editors. So be
really clear with them how they will treat your real identity, if you choose
to share it.

Face to face meetings are sometimes better than phone calls. You should
assume, when you're handling highly sensitive information, that the reporter's
devices may eventually be hacked, bugged or subpoena'd, so make sure that an
electronic trail does not lead back to you.

You should carefully choose the journalists you leak to. The best choice will
have to be well sourced. That's because the information you leak to them, in
most cases, will have to be confirmed. That is, they will have to call other
insiders they know and ask "Is X true?" If they don't have other sources, the
information you provide will probably not make it to the public.

Reporters also get contacted by a lot of nut jobs, so early on, do what you
must to establish credibility. Trust has to be established both ways.

~~~
olivierlacan
I'm not quite sure you realize how risky to sources the methods of contact you
suggest are. I understand your point of view as a former reporter, clearly you
know what works best for the receiving end. But burners without a voice
modulator of some sort are very likely a huge deterrent for most potential
sources because they don't know whether they can trust the cell network
(localisation, voice identification).

Face to face meetings sounds preposterous for someone who would risk
prosecution under the espionage act for instance. I know that's a rare
scenario, but in more common cases there are still clear inherent risks in
meeting face to face with a journalist. And that's not even considering the
potential time and costs involved in reaching a journalist with
national/international reach.

Regarding nut jobs, that clearly sounds difficult to parse. But at the risk of
sounding like I'm hounding on you, there seems to be a misunderstanding on the
part of journalists of the kinds of risks sources are putting themselves into.

Worse yet, an underestimation of how much journalists – through their
expectations and treatment of source data — passively and routinely put their
own sources at risk by being illiterate in maters of operational security
(encryption, surveillance-self-defense, network security, etc).

Just read the account of how difficult it was for Edward Snowden to reach out
to Glenn Greenwald for a perfect demonstration of these issues:
[https://theintercept.com/2014/10/28/smuggling-snowden-
secret...](https://theintercept.com/2014/10/28/smuggling-snowden-secrets/)

He had to enlist outside help to get a journalist to stop fucking around with
operational security. This in turn is perhaps why Snowden is still free and
alive to this day.

~~~
vonnik
I'm not sure you know what you're talking about.

I'm talking about what has worked for the confidential sources I had, and the
means they chose to communicate with me, which in fact prevented me or my org
from knowing who they were. (They were not up against the intelligence
agencies of the US, but nonetheless they did not want to be known, and
succeeded.)

Investigations usually happen in retrospect, after leaks have been made
public. And the data that is most searchable surfaces leads most quickly.
Files and emails are the most searchable thing of all. Easy to copy. Stored
many times as they travel. That is less true of voice. And even less true of
face to face meetings, done right. So sure, use a voice modulator. That's a
good idea. Even better: send a paper envelope full of documents printed on
someone else's machine; wear latex glove and dab the stamp with tap water
rather than saliva.

Journalists have a filtering problem that you don't seem to understand. They
are inundated with wackos hawking "news" that's really just a figment of the
imagination. Partisan sources pretending to be neutral spin them everyday. A
good source, with good information, has to realize that and break through to
the reporter by demonstrating authenticity, because the reporter is
overwhelmed. If you don't care about breaking through, then don't do it. It's
not a misunderstanding on the journalists' part; its the nature of their job.
They don't have time to wade through all the crazy claims.

Everything's hackable. People should assume that reporters and their
organizations will have a lapse in security, that they cannot withstand the
collective efforts of intelligence agencies. Just like any other company in
the world and the DNC... And those sources should arrange to protect
themselves if their communications are found by someone who's not the
reporter.

~~~
amorphid
Tl;dr -- you're gonna have to stick your neck out, so don't work with someone
who will get your head chopped off.

~~~
argonaut
No, that's not the tl;dr.

------
olivierlacan
The very fact that an organization like the Nieman Foundation can publish
something like this article without first having the good sense of enabling
required TLS on their website is frighteningly careless.

Anyone from governmental agencies who read this article at home or work can
now fairly easily be targeted by the relevant surveillance agencies.

~~~
exhilaration
I'm confused, what would TLS do? The surveillance agencies can log an HTTPS
URL as easily as an HTTP URL, they don't need to see the contents to see that
you requested it.

~~~
mcherm
Not true.

HTTPS encrypts the URL as well as the content of the communication. Someone
surveilling the conversation with the ability to observe all network traffic
but without the ability to decrypt SSL traffic would be able to tell that the
end user had viewed something at a particular website (technically, at a
particular server), but would NOT be able to tell WHICH article was viewed.

~~~
detaro
I wonder how much that actually gains for this specific case ("which article
did IP $x view?"). With more effort, it should be fairly easy to match the
traffic pattern to the article, e.g. by matching the size of subsequent
requests for the images. But more complicated than a simple filter that just
grabs all URLs from HTTP.

~~~
ethbro
_> With more effort_

That's the new key point for 2017 pro-privacy architectures.

Proof of work surveillance doesn't scale because requiring it leverages the
disparity between the total level of Internet traffic and intelligence agency
resources.

Kill the dragnets as step 1, then worry about step 2.

~~~
deathhand
It would be helpful to have a website to display a random image of differing
sizes for every page load. This would prevent fingerprinting https.

~~~
pixl97
Um, I don't believe that would help. You either inline the images as data, or
better, get rid of all images and have random length non-printing text to hide
the real data. This kills caching and performance though.

~~~
btown
[https://github.com/technion/mod_randpad](https://github.com/technion/mod_randpad)
(an Nginx module that injects padding as a comment into returned HTML
documents) is likely the correct layer to add random padding; the performance
hit would be negligible.

------
caseysoftware
Even the NYTimes has admitted the "omg gagged scientists!" line is standard
operating procedure with new Administrations:

> _“I’ve lived through many transitions, and I don’t think this is a story,”
> said a senior E.P.A. career official who spoke on the condition of anonymity
> because he was not authorized to speak to the news media on the matter. “I
> don’t think it’s fair to call it a gag order. This is standard practice. And
> the move with regard to the grants, when a new administration comes in, you
> run things by them before you update the website.”_

[https://www.nytimes.com/2017/01/25/us/politics/some-
agencies...](https://www.nytimes.com/2017/01/25/us/politics/some-agencies-
told-to-halt-communications-as-trump-administration-moves-in.html)

Try to save some of your outrage for _actual_ outrageous events.

~~~
hackuser
Trump and his people have openly spoken and acted against the media. Also,
IIRC, the prior Republican administration blocked scientists from speaking
openly and had politicos edit all communications, while the Obama
administration allowed the scientists to communicate unfiltered. One
speculative statement from an anonymous EPA official doesn't offset that.

> Even the NYTimes has admitted

I'm not sure what that means. The Times has reported all sides of the
spectrum. The broke the Hillary Clinton email server story, for example, and
also Trump's tax returns.

~~~
caseysoftware
It's quite common that employees cannot comment on behalf of their employers.
EPA scientists are executive branch employees so their boss is Trump.

> _However, one of the consequences of the election is that the new
> administration now controls what federal agencies say and what side of an
> issue they take in a debate about, for example, climate change or
> reproductive rights._

Ref: [https://www.aclu.org/blog/speak-freely/government-
employees-...](https://www.aclu.org/blog/speak-freely/government-employees-
get-have-opinions-too)

~~~
hackuser
That justifies Trump's power to do it, but it doesn't make it good or
acceptable. The President has the power to do many things that are wrong.
Trump could order other employees to invade other countries and to kill and
torture people.

> EPA scientists are executive branch employees so their boss is Trump.

And Trump's boss is the American people. Everyone in the executive branch and
throughout the government reports to them, ultimately.

------
pornel
Sites shouldn't be putting secure drops in a subdomain. DNS and TLS SNI expose
domain names in plain text, so 3-letter agencies watching backbone traffic
will immediately notice when "securedrop.example.com" is accessed.

Vice and Intercept made a better choice using a path on a their regular
domain:

[https://theintercept.com/securedrop/](https://theintercept.com/securedrop/)
[https://news.vice.com/securedrop/](https://news.vice.com/securedrop/)

~~~
garrettr_
(SecureDrop developer here). Obviously we agree, using a SecureDrop-specific
subdomain makes traffic analysis trivial. Our deployment best practices [0]
warn folks not to use subdomains.

Sadly, since SecureDrop is decentralized, we cannot enforce this, and some
organizations apparently find it very difficult to provision a separate path
("example.com/securedrop" instead of "securedrop.example.com"). for their
SecureDrop landing page.

[0]:
[https://docs.securedrop.org/en/stable/deployment_practices.h...](https://docs.securedrop.org/en/stable/deployment_practices.html#landing-
page)

~~~
x1798DE
What about provisioning other, non-securedrop stuff on that subdomain, and not
calling it "securedrop"? Seems like that's better than nothing:

misc.mydomain.com/securedrop misc.mydomain.com/pacman-game
misc.mydomain.com/portraits-of-frieda-kahlo

Ideally you'd leave it at the top level since obviously whatever other random
junk you put on the subdomain will be lower-traffic than the main domain, but
at least here there's plausible deniability (I was just clicking on an easter
egg that played pac-man!)

------
stuckagain
So much more to opsec than using tor. I hope leakers are either ready to be
unmasked, or have countermeasures against things like document fingerprinting.

~~~
aqme28
Out of curiosity: How do you counter document fingerprinting?

~~~
_rolf
Probably best if you recreate the document from scratch and "in your own
words".

~~~
vog
That's dangerous as well, because now your language can be analyzed and
compared with other writings from you.

~~~
tyrust
Just get hammered [0] before writing.

[0] - or sober, whatever is the opposite of your typical working state

------
btilly
How long until someone on the Trump side starts sending spam to all of these
addresses?

They can't block it, but good luck finding real signal in millions of
requests.

Or, more subtly, deliberately leaking easily discredited stuff. Once it gets
published, it becomes a propaganda target. As a great example, consider how
Dan Rather was taken down by
[https://en.wikipedia.org/wiki/Killian_documents_controversy](https://en.wikipedia.org/wiki/Killian_documents_controversy).
Planting a perfect smoking gun was enough to bring down Dan Rather and make
the story of how Bush got his draft deferment toxic in the media.

The ultimate irony there is that the story that Dan Rather reported was
actually _true_. It had all been reported in The Guardian by Greg Palast, and
Dan Rather had started with access to his research. It didn't matter, planting
perfect fraudulent documents managed to discredit it.

~~~
anc84
Why the Trump side? Did you not notice what the Obama side did to Manning and
Snowden, just to name two leakers?

~~~
TheShadowRunner
Obama (for the most part) went after National Security leakers, IIRC.

Trump seems to be going after any federal agency that does not pursue goals
that he wants.

~~~
PKop
What are you talking about... serious question?

Seems as if what Trump has initiated is no different than previous
administrations upon taking office [0]. Are you sure there's some clear break
from past precedent?

[0]
[https://twitter.com/mtracey/status/825001424455077890](https://twitter.com/mtracey/status/825001424455077890)

~~~
btilly
I am quite sure. Moves like
[https://www.washingtonpost.com/politics/whitehouse/epa-
scien...](https://www.washingtonpost.com/politics/whitehouse/epa-science-
under-scrutiny-by-trump-political-
staff/2017/01/25/1f8424a2-e35b-11e6-a419-eefe8eff0835_story.html?utm_term=.35d2bd397afa)
to provide political review and censorship of scientific work is something
that hasn't happened in this country since McCarthy was taken down.

Or take the reinstatement of the Holman rule. See
[https://www.washingtonpost.com/local/virginia-
politics/house...](https://www.washingtonpost.com/local/virginia-
politics/house-republicans-revive-obscure-rule-that-could-allow-them-to-slash-
the-pay-of-individual-federal-workers-
to-1/2017/01/04/4e80c990-d2b2-11e6-945a-76f69a399dd5_story.html?utm_term=.9628dc4f9cef).
This rule allows politicians to target individual civil servants. This is
again not business as normal. This rule was removed under Ronald Reagan in
1983. No administration since has sought its reinstatement. This again fits
into the theme of creating "chilling effects" from partisan oversight of what
is supposed to be a politically neutral organization.

For a third example, see [http://www.salon.com/2017/01/10/please-dont-tell-us-
the-trut...](http://www.salon.com/2017/01/10/please-dont-tell-us-the-truth-
house-gop-blocks-budget-watchdog-from-reviewing-cost-of-obamacare-repeal/).
The CBO is widely viewed as neutral, and has been kept that way for many
years. It routinely provides estimates for every bill of what that bill's
impacts are likely to be, including the estimates of the impact on our
deficit. However House Republicans want to repeal the Affordable Care Act and
do not wish to be embarrassed by estimates of how much removing some of its
inflation limiting provisions will impact our federal deficit. So they are
banning the CBO from calculating this number.

I can cite plenty of precedents for all of these actions. They are all before
my birth, or in other countries. They are emphatically NOT business as usual
in the modern USA.

------
nthompson
This reminds me of the Eldo Kim bomb threat:

[https://www.schneier.com/blog/archives/2013/12/tor_user_iden...](https://www.schneier.com/blog/archives/2013/12/tor_user_identi.html)

I guess the guy was the only one on the network using tor, making him easy to
identify.

So unless tor gets a huge userbase in DC, it seems like an encrypted url would
be safer. (I don't know much about tor; am I wrong?) Everyone reads WaPo; no
suspicion getting on that site.

But I think the main difficulty in becoming a leaker is that you have to hide
your mental evolution as you decide to become a leaker. By expressing your
dissatisfaction to your colleagues before you decide to leak, you make
yourself a suspect post-leak. Leakers should be aware that traditional
investigative mechanisms are very powerful, and even if the crypto is rock
solid, it is still very likely they'll be caught. It's then a question of
whether they are willing to 'take one for the team'.

~~~
crb002
SSH tunnel to a bitcoin paid server, connect from there. That's how the tool
sending me threatening pictures of my house operated. Fortunately his opsec
sucked and he scoped me out on LinkedIn with an account under the same
pseudonym of Mr. "Dendler". One email to LinkedIn to make a backup of his
account in case a subpoena was needed and he stoped immediately. Must have
connected to them with a traceable means.

~~~
iamatworknow
That seems pretty drastic (sending photos of your house). Mind if I ask why
you were targeted?

For what it's worth when I was a young jerkoff in college I was spamming on
some forums and pissed off a guy who later sent me my college address. I got
his IP from the forum, tracked down his ISP, and messaged them and the FBI
about it along with the threatening chat logs and never heard from him again.
Not that I think they took real action, but it was some script kiddie I wanted
to set straight with the threat of real consequences. This was back around
2004 or 2005 when things were a bit more loose in terms of encryption and
privacy online.

~~~
strathmeyer
An admin of HackerNews targeted me once because.... I posted a comment on a
article that was later linked from here. Kept asking me what my boss would say
when he talked to him on the phone. Except she was a woman and only took e
mails.

------
ransom1538
The hard part isn't anonymously leaking the information. (You could do this
with a $0.15 envelope and a stamp. Just remember not to put in your address as
the return address and to wear gloves).

The hard part when you leak is that you are now in a set of people that _knew_
the information. That usually boils things down to a handful or even one
suspect. With US federal agents where in fact it is illegal to lie to them,
they will have you in their office by lunch.

~~~
pogo
In this case, get a lawyer and don't answer any questions without them. Also,
if you do leak a hard copy, print it at a public place and use a B&W printer.
Color printers are relatively easily traced.

~~~
tqkxzugoaupvwqr
Are those tracking dots not microscopic? I would assume printer manufacturers
also put them on black-and-white prints. Even if they don’t do it now, this is
only a printer driver update away.

~~~
pogo
They are very small, but not microscopic. They are done in yellow ink, which
is why they are very hard to see. If they were printed in black ink, I think
you'd be able to spot them immediately, despite their small size.

------
brotherjerky
> Leakers shouldn’t use their work computers and should use public wifi, “like
> a Starbucks or at a hotel or anywhere where the Internet is open for public
> use.”

Lately there seem to be very few completely open wifi points. Most of them at
least require some click through for agreeing to terms. Is there any risk
involved here?

~~~
stuckagain
All of the ones with click thru terms of service are logging your MAC too.

My personal favorite open wifi service is the one on Amtrak, and you can buy a
paper ticket with cash. Pretty anonymous.

~~~
bbrazil
Any AP knows your MAC, as that's the basis of how Ethernet works.

~~~
stuckagain
Yes thanks. The point is those click-thru landing pages work by temporarily
whitelisting your MAC, which means they have a list of MACs somewhere. The MAC
information needed by ordinary networks is ephemeral.

~~~
colanderman
Even without click-throughs. Comcast Business routers keep a log of every MAC
that's ever connected wirelessly. Granted I think it's a bug as it causes the
MAC whitelisting page to take like a minute to load.

Even my Mikrotik at home logs MACs by default. The log is small and not
persisted, but log entries definitely stick around a few days.

Don't count on your MAC not being logged.

~~~
nitrogen
And if the router itself isn't doing it, there are programs like arpwatch.

------
mdrzn
I had no idea all the major news sites had an .onion Secure Drop website. I
wonder how many leaked news they receive per year.

~~~
CM30
They likely receive a lot of leaked news items a year.

However, the vast majority are either:

1\. Completely fake, because someone on 4chan/Reddit/an internet forum/social
media wanted to see how many journalists they could prank with false
information.

2\. Uninteresting or pointless to write about, since they don't describe
newsworthy stories.

So the amount of actual, legitimate leaked news stories they receive a year is
likely a lot less than the amount of stories they receive through these
systems in total.

~~~
MrZongle2
I'd also offer: 3. Somewhat interesting and likely legitimate, but doesn't
support any narrative the editor(s) or owner(s) wish to promote.

~~~
euyyn
There are media outlets all over the political space, so it's just a matter of
dropping your stuff to the ones that are interested.

~~~
bdrool
Yes, but since everyone is super-polarized these days and only listens to
"news" outlets pushing narratives they already agree with, that means no one
hears it who needs to. It's very hard to get a story to get widespread
attention.

------
rc_bhg
Does Fox News or CNN accept leaks? I feel like having a secure way to accept
leaks is a sign of a good news org.

~~~
komali2
Fr.a business standpoint, they'd be stupid not to. A good leak could mean an
exclusive.

------
brak1
>"Leakers shouldn’t use their work computers and should use public wifi, “like
a Starbucks or at a hotel or anywhere where the Internet is open for public
use.”"

Hotels can normally link a computer on their network to a room number...
Suggesting they use a hotel wifi isn't a good idea IMO (unless you are not
actually a guest, and its just an open public wifi network).

~~~
euyyn
Many hotels have open WiFi in their lobbies, for convenience.

------
pweissbrod
If youre one of the vast minority of internet users happening to be using Tor
this stands out like a sore thumb from any party monitoring network activity.
Not to mention many of the direct nodes are possible to be your would-be
adversary. I hope users of this approach understand the risks involved. Tor
seems deceivingly plug-and-play to the less technical crowd

------
georgefox
A few of these articles are suggesting that uploads be performed from public
places (e.g., Starbucks) for the sake of anonymity/deniability. But it would
seem that performing these actions in public would potentially reveal your
identity, actions, and secret codename to any eyes or cameras around. As a
question of general curiosity about anonymity, how does one weigh the benefits
of using an open internet access point with the more literal visibility that
using a public access point might entail?

~~~
iak8god
When I wake my computer after a session of normal use and connect it to an
open network, it immediately starts sending out messages to a bunch of
different entities (google, dropbox, evernote, etc, etc) that can be rather
easily traced back to that access point. IMHO this should be an even bigger
concern than identifying a public wifi user through surveillance images, and
it's a point that articles like this one routinely ignore, or gloss over:

> "Use as much caution and good sense as you can about distancing yourself
> from equipment and network locations you might be connected to."

Possibly an audience who has never heard of Tor before (the target for this
piece) needs some more concrete advice about this than "use caution and good
sense."

~~~
georgefox
Hmm, yeah. The linked video from the Globe and Mail says to avoid surfing the
web during the procedure, but avoiding explicitly going to Facebook and
Twitter (their examples, IIRC) won't stop all identifiable network traffic
from your device. I suppose that's where the suggestion of using a boot-from-
USB OS might come in.

~~~
iak8god
I consider myself to be quite savvy and I'd have _zero_ confidence in my
ability to reliably shut down all identifiable traffic, except by setting up a
tool that blocks all traffic (like Little Snitch[1]) and then making an
exception for Tor traffic.

And then there's the fact that most people's MAC addresses are ultimately tied
to their identities in a way that a powerful actor could recover it without
too much difficulty.

[1]
[https://news.ycombinator.com/item?id=13443858](https://news.ycombinator.com/item?id=13443858)

------
iamatworknow
This may be a dumb question, but why not just use the post office?

~~~
mikeyouse
The Panama Papers were 11.5 million documents that were leaked all at once --
If a piece of paper is .1mm thick, that stack would be 1.15km tall. If a
single piece of copy paper weighs 5 grams, double-sided printing 11.5 million
documents would produce a stack that weighs almost 30 metric tons.

Point taken though, one of the bigger stories of the campaign was the billion
dollar loss that Trump claimed on his taxes in the mid-1990s. That came to
WaPo and NYtimes via USPS and just landed in their mailboxes.

~~~
iamatworknow
Couldn't one take that many documents and throw them on a flash drive (or even
a hard drive if it's on the order of terabytes) and mail that? I'm certainly
no security expert but wouldn't the risk in terms of using the drive/files to
identify you be about the same for mailed physical media compared to it being
sent electronically, but with decreased risk of interception along the way?

------
rwmj
Is using a PDF a good idea? I imagine that it'll contain loads of interesting
metadata which might be related back to your computer at some later date.

~~~
mirimir
Well, there's
[http://www.sno.phy.queensu.ca/~phil/exiftool](http://www.sno.phy.queensu.ca/~phil/exiftool)
:)

------
finalpatch
I know there are companies embed digital fingerprints in all assets on their
intranet. Basically the web server serves files with different fingerprints
for each employee. These fingerprints can survive even resizing/processing/re-
encoding. Company then will be able to track down the person who leaked it by
simply looking at the leaked file.

------
josnyder
I think it would be interesting for a member of Congress (or their staff) to
operate a SecureDrop instance. Such a system might be a useful supplement to
other forms of communication between federal officers and Congress (e.g. fax,
interoffice, in person). Combined with 5 USC 7211, it might also have strong
legal protection (IANAL).

------
timdorr
I'm curious: Is any effort made in SecureDrop to detect or scrub identifiable
headers or metadata from files? I understand the trust issue is generally with
the source, but I could see an identity being leaked via a blob of metadata
with a name in it.

------
pimlottc
How does site authentication work in Onion world? With those unrecognizable
URLs, it seems like it'd be easy to set up a phishing site that leaks the
whistleblower's identity.

~~~
jvdh
.onion addresses are like a public key. The server needs to have a private
key.

Vanity addresses, ones that have a name at the beginning, require some
processing in order to find the right public key.

------
matthewhall
Who da thunk, this is blocked at my school

------
relieferator
New law - every computer / keyboard must now contain (already has??) a
keylogger.

~~~
wuschel
Source?

Side comment/question: Depending on your operating system, perhaps?

