

Introducing SafeSource, A New Way To Send Forbes Anonymous Tips And Documents - kevination
http://www.forbes.com/sites/andygreenberg/2013/10/29/introducing-safesource-a-new-way-to-send-forbes-anonymous-tips-and-documents/

======
jdmitch
Its a shame that on the actual SafeSource site they don't seem to give much
assurance:

 _Forbes does not make any representations or warranties as to SafeSource, and
your use of SafeSource is on an "as is" basis, at your own risk._

I suppose it is just to cover them legally, but they could be a bit more
reassuring to whistleblowers and informants who might not understand the
technology very well or the credentials of those who have vouched for it like
Schneier and others.

~~~
iloveponies
No, actual whistleblowers should be covering their own asses as much as
possible with informed decisions and good opsec/infosec practices and not
trusting anyone or anything else which includes the press. If a
whistleblower's identity is exposed, it stands to reason media outlets have
more to gain from the fallout.

------
kuny
And of course the landing page
[https://safesource.forbes.com/](https://safesource.forbes.com/) tracks any
potential leakers left, right and center.

A quick glance at the source reveals immediately these externally hosted
javascripts:

\- contextual.media.net (unsecured http) \- js.moatads.com (unsecured http) \-
tags.bluekai.com (unsecured http) \- akamai.com \- cdn.krxd.net \- google-
analytics.com \- sb.scorecardresearch.com \- i.forbesimg.com (unsecured http)

That's right, the "new way to send anonymous tips" immediately tips off at
least 7 external parties!

------
betterunix
How about instead of each newspaper creating its own system, they all just run
a Mixmaster/Mixminion/Sphinx node, so that there is no single point of
failure? The problem of anonymous communication has been well-studied and we
know how to make practical systems for it. I should not have to connect to a
server run by Forbes in order to communicate anonymously with Forbes.

------
pasbesoin
Buy an inexpensive b/w laser printer, paying with cash. Maybe wear a baseball
cap with a big front bill, for good measure. Or buy second hand. Preference to
a model that at least ostensibly does not insert "hidden" identifiers into its
printouts. Also buy a sealed ream of printer paper and envelopes that you can
nest inside larger envelops, all in packaging. And a glue stick.

Buy stamps from an automated machine, paying with cash. Only handle them with
gloves on, and be careful of body material adhering to the adhesive.

Put on your latex or similar gloves. Avoid touching yourself or breathing on
them -- you might decide to wear a face mask and a hair net (before putting on
the gloves).

Unpack the printer, and the paper. Load it up and print your documents. Print
your mailing envelopes.

Find the mailing address in a non-obvious fashion. E.g. preferably from a
paper copy of the newspaper. Don't Google it. Also, address a reporter known
to have a strong interest in the topic/area you are addressing.

Put documents in mailing envelopes. Seal using glue stick. Apply postage
carefully to avoid trapping identifiable material in the adhesive. If the
adhesive requires activation (e.g. water), use the glue stick for this.

Nest the envelope in the larger envelope.

Find mailbox or mail drop that is, hopefully, unmonitored. DON'T take your
cell phone with you when finding it nor when subsequently visiting it. Try to
make it somewhere away from your normal patterns. Beware of your car being
tracked; it may be better to visit it on foot or on a bicycle.

Slide the mailing envelope out of its nest in the larger envelope, into the
mail receptacle. Try to be as discreet in this as possible.

I started writing this thinking that the suggested instructions would be
relatively straight-forward. I'm realizing now just how much they are not so.

Now, a final step. Picture this scenario in a world where everyone's DNA is
profiled -- a proposal that keeps rising in many states and which is already
increasingly applied to everone who is ever arrested -- _not convicted_ , just
arrested. Or has any "secure" role, which can include working in a hospital or
other healthcare setting, working with children, working in law enforcement,
working for any paranoid employer in a state not explicitly protective of
personal privacy...

I am suddenly realizing just how important "online" "black boxes" may be,
going forward.

P.S. Also, I simply ran out of steam -- motivation for what started as a minor
thought exercise. Of course, the above doesn't address the security, or lack
thereof, of the system holding the documents and from which they are being
printed. Nor many other aspects.

Already, it is seeming difficult enough.

I'm also thinking more about other, less desirable scenarios that seek to use
anonymous postal mail. That was not my purpose. I was solely, hypothetically
addressing sending whistle-blowing material to a journalist.

I am feeling more than a bit paranoid, right now...

~~~
discardorama
This could be for East Germany in the heyday of the Stasi; but sadly it's
today's USA. SMH...

------
ChikkaChiChi
If I were a whistleblower, the only way I would feel safe would be through an
Airgap using Shoe Leather Protocol.

If only the media could be trusted.

------
dmazin
SecureDrop is going to end up being so important to journalism and overall
freedom I just want to cry endlessly about Swartz's fate, which came far
before he (or we) knew about his potential effects on the world.

------
robertfw
Where is the source code?

~~~
geofft
It's a deployment of SecureDrop:

[https://pressfreedomfoundation.org/securedrop](https://pressfreedomfoundation.org/securedrop)

[https://github.com/freedomofpress/securedrop/](https://github.com/freedomofpress/securedrop/)

------
codeulike
_An online submissions system of the kind pioneered by WikiLeaks ..._

Nice that they give credit. These systems are going to be increasingly
important.

------
pud
Here's a link for the lazy:
[https://safesource.forbes.com/](https://safesource.forbes.com/)

~~~
Domenic_S
I thought that said SourceSafe and nearly had a heart attack.

~~~
ChikkaChiChi
Nah, that would just create duplicates of your files, crash when you need it
the most, and corrupt things beyond recognition and force you to blow the
whistle again from the start.

------
jniles
This is a great idea (even if not original). Every news agency should budget
one of these as part of being in the business.

------
digitalengineer
What about using a law firm as your front? Let them print and send the
'sectrets'?

------
Sovietaced
This is amazing.

------
benhebert
Does not sound very safe.

~~~
jsmeaton
Why not?

