
The New Yorker Strongbox - danso
http://www.newyorker.com/strongbox/
======
pilif
I was discussing with a colleague whether tor is still trustworthy these days:
running exit nodes without ending up in jail or thrown out by your ISP becomes
more and more difficult (if it's not impossible already). Also tor still gets
a lot if bad press as being nothing but a medium for child porn consumers to
hide their tracks.

As such I wonder whether there are exit nodes (or even just plain nodes) left
that are not being run by governments as honeypots?

How can you be sure that the data you are submitting is not intercepted? How
can I be sure that all my traffic is not running through one government
network (because all tor nodes still left are compromised)? How can I be sure
that I'm actually submitting my information to the New Yorker in this case as
opposed to a government server posing as them?

The announcement page linked is not being served over SSL and the onion URL
given isn't using ssl either (as if any ca would sign a cert for that domain,
but if the linked page was served over SSL they could publish a fingerprint
there)

If I had important information to leak, I would probably still have an
otherwise uninvolved colleague drop by in person to dump the data for that one
(and only one) time. If I had a friend willing to take the risk.

Or if there was an EV signed page of the New Yorker listing an SSL fingerprint
of a certificate that's used by that tor server, then maybe I could live with
the fact that tor is likely compromised.

Then again, maybe I'm just a paranoid coward. I'm so glad I don't have access
to information anybody would be interested in.

~~~
chimeracoder
> Then again, maybe I'm just a paranoid coward. I'm so glad I don't have
> access to information anybody would be interested in.

I agree with everything else you're saying, but I should just point out one
thing:

It doesn't matter whether or not anybody is interested in your information -
especially in this era of en-masse passive data collection, you have the
_right_ to your own data, which includes the right _not_ to be snooped on by
third parties (governmental or otherwise).

It doesn't matter whether or not you "have anything to hide", only whether you
have anything you _want_ [voluntarily] to _show_.

</rant>

~~~
saraid216
Honestly, it's great that you're passionate about the issue, but that doesn't
a logical argument make. Privacy is an intuitive _concept_ , but it translates
surprisingly poorly to reality. That's not to say privacy doesn't exist or
isn't important, but that we don't _actually_ know what it is.

Intuition makes for bad law, not least because everyone has different
intuitions; it's basically asking, "Why don't programmers just program in
English?"

~~~
gknoy
Thankfully, my kids are learning Lisp before English, so at least that let
them program more intuitively.

(Kidding: ... if only I could. My son doesn't seem interested in it.)

------
ComputerGuru
I'm not surprised to see this coming from The New Yorker.

I've all but given up on quality journalism from most "newspapers," but long-
form investigative articles from The New Yorker and Vanity Fair (yes, of all
places!) always keep my faith in humanity. Less-lengthy but usually well-
researched articles from Mother Jones and Harper's are also up there.

Other sources that sometimes do an awesome job but other days leave you
scratching your head would be NPR, The Atlantic (less investigative
journalism, but awesome write-ups), The New York Times (covering everything
from tabloid trash to 20-page quality journalism spreads), and The Seattle
Times (likewise, but less crappy and less awesome at both extremes).

~~~
jfb
If you haven't already, check out _The Economist_. They have a strong, clear
ideological bias, but the writing is excellent and it's one of the very few
places to get any sort of news in English about parts of the world that _The
Times_ ignores.

~~~
seldo
I have been a subscriber to the Economist for, woah, 11 years now. Simply by
virtue of its weekly format, it does a good job of ignoring a lot of the
interesting-but-transient stuff that wastes your time if you read regular news
online. It also has great breadth of coverage -- it's easy to get parochial
when you read online news, especially tech, and the E is a reminder that the
rest of the world exists and that important things are happening in it.

However, the breadth seems to often come at the expense of depth -- on the
occasional chances I get to discuss an article in the Economist with an actual
expert in that field, it seems their analysis is often dismissed as
superficial and they not-infrequently get basic facts wrong (their letters
section often contains quite substantial corrections).

~~~
rndmize
I generally read the Economist by means of their website, and its quite
interesting to read the comments on articles; they usually fill in the gaps of
the articles or point out errors (especially in the case of articles focused
on a single country, which if flawed will bring out the nationals in force.)

------
danso
FYI, "Strongbox" is a fork for the open source project that Aaron coded, which
is called "DeadDrop"...it was down because Github pages was recently down, but
back up now: <http://deaddrop.github.io/>

The repo contains this thorough Threat Model/theory guide:
[https://github.com/deaddrop/DeadDropDocs/blob/master/THREAT_...](https://github.com/deaddrop/DeadDropDocs/blob/master/THREAT_MODEL.md)

~~~
masklinn
It not a fork, it's the first production use since DeadDrop was discussed
with/instigated by New Yorker journos.

In fact, there's a shoot-out and link to DeadDrop _in the page's
introduction_. Not sure why you thought an FYI was necessary...

~~~
danso
I came across StrongBox in this blog post, in which DeadDrop was mentioned but
the repo not linked to:

[http://www.newyorker.com/online/blogs/newsdesk/2013/05/stron...](http://www.newyorker.com/online/blogs/newsdesk/2013/05/strongbox-
and-aaron-swartz.html)

In the OP, "DeadDrop" is listed prominently but not as text...so when I came
to the page, my first instinct was to do a Find for "deaddrop" to see if the
repo was there, which comes up empty of course.

Without reading the Aaron Swartz post, I would've assumed "DeadDrop" was an
existing service because of the brandlogo, and not a link to the open source
repo.

Note: I'm not saying there's anything wrong with how it's done, I'm just
pointing out my thought process: Anyone who comes to the OP without having
read the Aaron Swartz post would not know of the open-source project
underneath it (though it isn't a fork, so my mistake) and may not click
through the "DeadDrop" logo. People who have read the Swartz post may be like
me, wondering where the Github code is, as it is not linked to in the Swartz
post.

Just trying to make the project more visible for those of us less skilled at
sussing out HTML. No fault of the New Yorker's...both posts are aimed at
different audiences (though the Swartz post should probably just include a
link straight to DeadDrop for convenience's sake)

------
revscat
This comment is somewhat parenthetical, but one thing I am glad to see is that
the cyberpunk/cypherpunk spirit that was so influential in the early days of
the Internet has carried on over into today. There are areas -- important ones
-- where anonymity and cryptography are necessary tools in addressing various
wrongs, regardless of the objections of the state. That a mainstream
journalism organization like The New Yorker has recognized this, and has found
it important enough to implement a technical means of addressing, shows that
the work of pioneers like Zimmerman, Assange, Schwartz, and many others have
been fruitful over the long term.

~~~
saraid216
I... just realized that I know so many Zimmermans that I don't know which one
you're referring to offhand.

~~~
graue
Probably the inventor of PGP: <https://en.wikipedia.org/wiki/Phil_Zimmermann>

------
thruflo
Might be useful to serve that page over https so the .onion address it
contains can't be changed by a man in the middle.

~~~
daviddoran
Agree. I think they should be using HTTPs, HSTS etc for this page.

~~~
bjacobel
Github Pages, to my knowledge, doesn't support HTTPS. They'd have to move it.

------
pqdbr
This is amazing because it's endorsed by a major mainstream news organization.
A good point when arguing with those that defend that Tor is only meant for
terrorism, child pornography and illegal activities.

~~~
pyre

      | Tor is only meant for
    

Tor was developed by the US Navy so that people in oppressive regimes could
have secure communications, though I guess that could qualify as 'illegal
activities' under the laws of said regimes...

------
jjmardlin
It's great to see a reputable organization finding use for Tor and online
anonymity. Innovative, advantage gaining move in a not so innovative industry.

~~~
grandalf
In the past decade, the New Yorker has been the _only_ news organization
(aside from Wikileaks) doing significant investigative journalism.

~~~
rthomas6
That's quite an assertion. I'd say that a few public radio programs I listen
to have done some great investigative journalism.

Specifically:

[http://www.thisamericanlife.org/radio-
archives/episode/487/h...](http://www.thisamericanlife.org/radio-
archives/episode/487/harper-high-school-part-one)

<http://apps.npr.org/unfit-for-work/>

[http://www.npr.org/blogs/money/2013/05/07/182010027/episode-...](http://www.npr.org/blogs/money/2013/05/07/182010027/episode-456-marijuana-
arbitrage)

[http://www.propublica.org/article/finding-oscar-massacre-
mem...](http://www.propublica.org/article/finding-oscar-massacre-memory-and-
justice-in-guatemala)

~~~
grandalf
NPR is great, but never questions the legitimacy of the US Government.

------
DanBC
This thread - of smart people - shows a little bit of confusion over the
difference between _anonymous_ and _secret_.

That's kind of scary when we think about the reasons someone might be sending
stuff to a newspaper, and the need that have to be anonymous. Secret would
probably be good too. At least until the newspaper prints.

Newspapers are supposed to explain stuff to their audience. This article
doesn't explain much. Like the saying goes, when I see how badly they do with
stuff I know about I have to wonder about everything else too.

------
ianso
Nice. I have to say this is the best approach to "wikileaks"-style journalism
since wikileaks itself imploded. Now here's hoping they have what it takes to
publish what lands in their inbox, even when the US Govt objects...

------
salimmadjd
It's a sad day when a US based publication is leading the charge to protect
its sources to ensure the vitality of the freedom of the press. I had expected
this in an authoritarian regime, not here.

~~~
Jun8
In a _real_ authoritarian regime this page would not have existed at all due
to government pressure (or would have been a honeypot for government). Such
regimes generally work through the double whammy of threat of action (legal or
thug-based, e.g. in Russia) to the actual reporters who uncover dirt and
subtler threats/coercions to their bosses, the latter of which leads to self-
censorship and is much preferred. A recent example of the second approach is
the suppression of news about the bombing in Reyhanli in the Turkish press.

~~~
salimmadjd
I considered the same argument you are making before posting my comment.
However, for this to have happened in USA it means we are half way there or
getting there.

The media is controlled by two factions now: Government through access (you
don't get to come to white house if you piss us off or you wont get the
interview)

Large corporations and the major characters behind them. (i.e. Fox news,
Viacom, etc.

This is not the path to maintain an open society. We don't need thugs like
less sophisticated media controlled countries , we control media in a much
more elegant way. But the results are the same!

~~~
brown9-2
As the blog post announcing this points out
([http://m.newyorker.com/online/blogs/closeread/2013/05/introd...](http://m.newyorker.com/online/blogs/closeread/2013/05/introducing-
strongbox-anonymous-document-sharing-tool.html)) in a lot of ways this is an
extension of the mailing address or phone number that the New Yorker has
advertised (and informants have been using) since the 1920s.

------
nsxwolf
The government has really showed us how little we can trust them in the last
couple weeks. Go Tor!

~~~
rsync
ToR is funded by the US government.

~~~
lawnchair_larry
What does that have to do with his claim that the USG is not trustworthy? Are
you implying that it isn't the solution that it claims to be, due to the
funding source?

~~~
rsync
I'm not claiming anything - I'm simply pointing out that the answer to the
question "will tor protect me" has a little bit more nuance than it is usually
answered with...

~~~
lawnchair_larry
That's why I said "implying" - can you state directly what you mean? Your
reply wasn't directly relevant and you're intentionally being vague and
ominous, which isn't useful.

The most logical conclusion, given the information that you're providing, is
that "Tor might not protect me because the authors accept US Government
funding".

If so, it's important to call that out as the BS that it is. Either you are
highly ignorant as to how Tor works, or you are being malicious for some other
reason.

If I've missed something, please clarify.

------
derrida
GlobaLeaks enables news organizations to offer a similar functionality:
github.com/GlobaLeaks Includes some Tor developers on the dev team.

They have been working on this for 2-3 years in the open and would appreciate
bug reports & people to run the code. They also currently maintain Tor2Web,
the first version of which was written by aaronsw

------
smoorman1024
Nice to see a strong endorsement of Tor. I imagine it will help The New Yorker
attract new sources for their stories.

------
Serow225
I'm pretty much ignorant about Tor, but I'm curious why the .onion strongbox
address they give is a string of random characters, instead of something
recognizable/memorable?

~~~
acebarry
If they wanted to make a memorable address, they would have to run something
like Shallot [1]. This is essentially brute forcing private keys until you
find the public key you want. Depending on the name, that could take a very
long time.

[1] <https://github.com/katmagic/Shallot>

~~~
zokier
I don't really understand how they can claim that shallot-generated keys are
as secure as normal keys. If you are able to essentially brute force your key
(to create the customized address), wouldn't the adversarial (with presumably
much greater computing power) be able to do the same?

------
igul222
I don't get the point. If you trust them, isn't it okay to reveal your
identity to The New Yorker anyway since they're legally protected from being
compelled to reveal your identity? And if you don't trust them, why should you
trust that they're not logging your identity even on Strongbox?

<http://en.m.wikipedia.org/wiki/Protection_of_sources>

~~~
pwenzel
You raise a good point. However, in light of the Justice Department secretly
obtaining AP phone records [1], this provides an alternative option for secure
information.

For information that is best delivered anonymously, this sounds like one of
many tools to get your message out there.

[1] [http://www.npr.org/2013/05/14/183810320/justice-
department-s...](http://www.npr.org/2013/05/14/183810320/justice-department-
secretly-obtains-ap-phone-records)

~~~
mtgx
No he does not have a point. Even if he does trust them, that's irrelevant.
The point of anonymity is so others (especially governments) don't find out
your identity. That can be done regardless of how much you trust the
publisher.

Why do you think Wikileaks was invented?

------
brown9-2
The deaddrop installation documents
(<https://github.com/deaddrop/deaddropdocs/>) refer to a repo at
<https://github.com/deaddrop/deaddrop_puppet> which doesn't seem to have been
made public yet. Would be interesting to see the rest of the installation
procedure.

------
zimbatm
I hope this becomes a standard, every news organization needs one of these.

------
gesman
VERY wise move! Contrary to tormail.org - you know who owns the TOR-based
messaging system and this will surely increase an inflow of "hot" [albeit
unverifiable] stories! Great way to stay ahead of less techy competition.

------
ignostic
Good for the New Yorker; I hope this catches on. Unfortunately, _if the
encryption is not end-to-end, the data is not secure_. In fact, the NSA may
choose to hang out and watch the unsecured traffic flow.

 _The New Yorker should make the traffic a little more secure by encrypting
traffic (using https)_.

There have been past instances where similar weaknesses were exploited by
sniffers:
[http://www.wired.com/politics/security/news/2007/09/embassy_...](http://www.wired.com/politics/security/news/2007/09/embassy_hacks?currentPage=all)

~~~
ef4
That vulnerability applies when accessing normal web pages via Tor.

But that's now what the New Yorker has set up. They're hosting a Tor hidden
service, and in that case Tor is necessarily encrypting the traffic end-to-
end.

~~~
286c8cb04bda
The problem is that you got the .onion address from an unsecured web page.

Someone between you and that unsecured web page could've changed the .onion
address and when you went there you would be visiting a Strongbox hosted by
the NSA rather than one for The New Yorker.

~~~
mcdigman
This is why you typically want to publish things like this as far and wide as
possible - if any single source is compromised, it can be detected by noticing
a discrepancy between two publicly available addresses. I'd wager they'll put
it in their print edition (same as their physical address and phone number)
from now on, because the NSA probably isn't going to everyone's house swapping
out their magazines for altered ones, so anyone who gets the magazine will
have a hard copy of the address.

------
lowglow
Trying to do something similar here: <http://valleyanon.com/> \- Let me know
if you're interested in helping out with the project.

------
ck2
Soooo can .onion addresses be spoofed for MIM attacks?

~~~
pwenzel
Man in the middle attacks on Tor are possible. Check out Moxie Marlinspike's
2009 BlackHat DC Presentation on SSL Stripping:

<http://vimeo.com/50018478>

<http://www.thoughtcrime.org/software/sslstrip/>

~~~
nwh
Attacks such as those referenced are are not relevant in this case.

As this website is being served as a hidden service, the traffic never exits
the Tor network. There's no SSL in use for a MITM attack to remove, nor does
there need to be.

------
FramesPerSushi
What an awesome idea, this needs to become a standard. This will lead to lots
of interesting and previously impossible stories in the future!

------
jmmcd
What is the purpose of the people on the New Yorker end having to switch
machines? How can the submitter trust that they've done that?

~~~
mcdigman
Because the internet facing machine could have been infected with malware that
allows someone to read the decrypted message, and send it back over the
internet. First, being compromised in the first place is less likely for the
machine not connected to the internet, because it is booted fresh from a CD-
ROM every time, and the CD is read only, so in order to install something
unwanted on the computer the attacker would have to physically replace the CD.
Second, even if it were compromised, it is not connected to the internet, so
there should not be any way for it to transmit the information, again unless
someone has physically bugged the machine.

------
ISL
How do we know that Tor is reliable?

It's the de facto standard, but, barring bugs, is it provably NSA-resistant?

~~~
shabble
Even if it is already entirely broken by them, there's the question of whether
they'll risk revealing that fact by going after you (publicly) c.f. _Ultra_
[1] level intelligence from breaking Enigma.

[1]
[https://en.wikipedia.org/wiki/Ultra_%28cryptography%29#Safeg...](https://en.wikipedia.org/wiki/Ultra_%28cryptography%29#Safeguarding_of_sources)

~~~
acheron
Yes, we all read Cryptonomicon too.

------
benrmatthews
Out of interest, what are other potential applications for Dead Drop, beyond
journalism?

------
tyang
What's a good guess here as to the signal to noise ratio?

------
tenpoundhammer
I'm really searching for an Al Gore joke here, someone help me out.

