Hacker News new | past | comments | ask | show | jobs | submit login
How to leak to the press (niemanlab.org)
680 points by anjalik on Jan 27, 2017 | hide | past | web | favorite | 207 comments

[Former reporter here] I have worked with confidential sources, and there are a number of things you can do, as a whistle blower, to protect yourself.

Phone calls are better than files, generally speaking, and you should be calling from a burner; i.e. a pre-paid phone that is not in your name. You shouldn't even give your real name to the reporter on first contact. Reporters take notes and some of them have to share their sourcing with editors. So be really clear with them how they will treat your real identity, if you choose to share it.

Face to face meetings are sometimes better than phone calls. You should assume, when you're handling highly sensitive information, that the reporter's devices may eventually be hacked, bugged or subpoena'd, so make sure that an electronic trail does not lead back to you.

You should carefully choose the journalists you leak to. The best choice will have to be well sourced. That's because the information you leak to them, in most cases, will have to be confirmed. That is, they will have to call other insiders they know and ask "Is X true?" If they don't have other sources, the information you provide will probably not make it to the public.

Reporters also get contacted by a lot of nut jobs, so early on, do what you must to establish credibility. Trust has to be established both ways.

I'm not quite sure you realize how risky to sources the methods of contact you suggest are. I understand your point of view as a former reporter, clearly you know what works best for the receiving end. But burners without a voice modulator of some sort are very likely a huge deterrent for most potential sources because they don't know whether they can trust the cell network (localisation, voice identification).

Face to face meetings sounds preposterous for someone who would risk prosecution under the espionage act for instance. I know that's a rare scenario, but in more common cases there are still clear inherent risks in meeting face to face with a journalist. And that's not even considering the potential time and costs involved in reaching a journalist with national/international reach.

Regarding nut jobs, that clearly sounds difficult to parse. But at the risk of sounding like I'm hounding on you, there seems to be a misunderstanding on the part of journalists of the kinds of risks sources are putting themselves into.

Worse yet, an underestimation of how much journalists – through their expectations and treatment of source data — passively and routinely put their own sources at risk by being illiterate in maters of operational security (encryption, surveillance-self-defense, network security, etc).

Just read the account of how difficult it was for Edward Snowden to reach out to Glenn Greenwald for a perfect demonstration of these issues: https://theintercept.com/2014/10/28/smuggling-snowden-secret...

He had to enlist outside help to get a journalist to stop fucking around with operational security. This in turn is perhaps why Snowden is still free and alive to this day.

I'm not sure you know what you're talking about.

I'm talking about what has worked for the confidential sources I had, and the means they chose to communicate with me, which in fact prevented me or my org from knowing who they were. (They were not up against the intelligence agencies of the US, but nonetheless they did not want to be known, and succeeded.)

Investigations usually happen in retrospect, after leaks have been made public. And the data that is most searchable surfaces leads most quickly. Files and emails are the most searchable thing of all. Easy to copy. Stored many times as they travel. That is less true of voice. And even less true of face to face meetings, done right. So sure, use a voice modulator. That's a good idea. Even better: send a paper envelope full of documents printed on someone else's machine; wear latex glove and dab the stamp with tap water rather than saliva.

Journalists have a filtering problem that you don't seem to understand. They are inundated with wackos hawking "news" that's really just a figment of the imagination. Partisan sources pretending to be neutral spin them everyday. A good source, with good information, has to realize that and break through to the reporter by demonstrating authenticity, because the reporter is overwhelmed. If you don't care about breaking through, then don't do it. It's not a misunderstanding on the journalists' part; its the nature of their job. They don't have time to wade through all the crazy claims.

Everything's hackable. People should assume that reporters and their organizations will have a lapse in security, that they cannot withstand the collective efforts of intelligence agencies. Just like any other company in the world and the DNC... And those sources should arrange to protect themselves if their communications are found by someone who's not the reporter.

Self-adhesive stamps have greatly enhance tradecraft.

Tl;dr -- you're gonna have to stick your neck out, so don't work with someone who will get your head chopped off.

No, that's not the tl;dr.

> Face to face meetings sounds preposterous for someone who would risk prosecution under the espionage act for instance

Snowden met face to face with Glenn Greenwald and Laura Poitras.

Things are improving. Lots of journalists have Signal now.

Non-rhetorical question:

What's the best way to leak from the press? Suppose a whistleblower inside, say, the NYT, has internal evidence that demonstrates some kind of negligence or malfeasance in the important task of informing the public?

Who would be the right party to leak to, for one thing? Another press institution?

Also, has anything like this ever, like, actually happened? If so, when? If not, why not?

Most likely not the answer you're looking for...

The most recent act of negligence by a journalistic institution that has happened recently was reported by The Intercept (Glenn Greenwald's gig) about the Washington Post's reporting on how Russia was behind the "fake news" propaganda that was unfortunately in itself a sort of propaganda. To discover why, you'll have to read those articles yourself.

In any case, I think journalists typically keep each other in check. And, thankfully, in prestigious institutions you're judged by the quality of your work and whether or not it can be fact checked. Unfortunately, reported facts in the United States are about as big of a hand patting Barack Obama on the back after winning the next election. Everything is irony and nothing is sincerity.

> Phone calls are better than files, generally speaking, and you should be calling from a burner; i.e. a pre-paid phone that is not in your name.

Wouldn't you still be identifiable based on voice biometrics? Or by the security camera video of whichever store you buy the burner phone from? And if meeting in person, you could be trivially shadowed.

It still looks to me like "Phone calls are better than files" is completely backwards. Files can be transferred over onion routing or other darknets, carry less identifiable information and can be digitally signed to establish identity as being the same source over multiple leaks.

Phone calls and in-person meetings are far less likely to end up leaving behind proof (provable in court) of information you passed to someone. If you send files, you have to first create or possess the files. That can leave behind hard evidence. Evidence that you bought a burner phone or met someone isn’t quite the same as evidence that you passed specific information.

And if you're under surveillance, being shadowed, then clearly you're going to have a lot of trouble using any means.

Files also contain lots of extra metadata you aren't aware of , images have EXIF (camera serial number, gps location), PDF has creator, timestamps, machine ids, etc. Files aren't just files.

Well OK, but the most useful thing about securedrop is that you can use it to leak documents that are already in electronic form. You can't really send files from a burner phone and having to actually meet someone to give them a USB drive is pointlessly inconvenient.

For actual communication that might identify you, sending a plain text file over something like securedrop is much safer than using a burner phone to call an endpoint that is pretty much for sure under heavy surveillance. If you don't know about metadata then you probably shouldn't do this until you are done with the required research.

> Phone calls are better than files, generally speaking, and you should be calling from a burner; i.e. a pre-paid phone that is not in your name.

Is that fairly easy to do? I heard in some countries it is hard to get a sim card without a proper ID. How easy is to get a burner phone in US without raising red flags?

> How easy is to get a burner phone in US without raising red flags?

Trivial. I see them all the time at grocery stores, pharmacies, et cetera.

I thought they started requiring identification to buy those at least 5 years ago.

Suppose a leaker, or even a bad person like a criminal or terrorist, wants to get a burner phone – what is to stop them from paying e.g. a homeless person to do it? (Many homeless people have photo ID, even with valid addresses on them, albeit addresses they haven't actually lived at in a while.)

T-mobile will sell you a prepaid sim and ask you no questions at all.

The very fact that an organization like the Nieman Foundation can publish something like this article without first having the good sense of enabling required TLS on their website is frighteningly careless.

Anyone from governmental agencies who read this article at home or work can now fairly easily be targeted by the relevant surveillance agencies.

They're also leaving themselves open to MITM attacks, where an attacker could change all of the tor addresses.

(SecureDrop developer here) That's why we created https://securedrop.org/directory (HTTPS, HSTS, preloaded, .onion available, etc.). Use that instead! Also, we have strong recommendations for the news organization's "landing pages" (e.g. https://theintercept.com/securedrop/), including requiring HTTPS, to prevent this and other obvious security issues.

This a shameless plug?

At least he was upfront about it by putting a disclosure in parenthesis.

Even SSL sites are not immune. On corporate networks, the clients trust the company cert, which is used to proxy all traffic (including HSTS and HPKP/pinned sites) for filtering/logging.

If you don't trust the machine you're currently on then it's already game over from a security perspective.

Isn't the actual content of the page signed by the the site's certificate though? And they can't just serve a different certificate because your browser can tell whether or not it was issued by a trusted CA. How does the attack work in this case?

Edit: Nevermind — I assume you're referring to this scenario[1], in which the company installs a root certificate onto your actual computer that allows them to sign certificates for other sites.

[1] http://security.stackexchange.com/a/63306

A lot of corporate computers have at least an additional CA authority on each computer that they use... if you're using a corporate computer, it's really easy for them to MITM any request, just relaying requests to the public resource, then proxying and using their CA signed cert in the proxy.

From there, everything can be tracked.

If you have a corporate computer, you shouldn't rely on any expectation of privacy. There's nothing stopping them from installing other monitoring software—screen grabbers, keyloggers, etc.—whenever they please.

That's where something like Tails comes in handy. :)

I don't think Tails would work because a corporate proxy would likely block any outgoing connections. Also most corporate IT policies would probably disallow running something like Tails.

That's working. If it fails secure it's keeping you alive.

Monitoring hardware, then.

But why would they bother. The point of collecting data for surveillance is to provide signals that help sort the real threats from the noise. But the Nieman Foundation is such a well-known and widely-read blog that just reading an article there is not at all noteworthy, regardless of the subject.

Most government employees are not even in a position to access leakable data even they wanted to. Targeting them based on reading an article would be a waste of effort.

If you're at work at a place where reporters would give a hoot about what you have to say, most likely your TLS sessions are intercepted at the proxy.

It's less common for companies to have content inspection.

All the SSL MitM products I've seen can do content inspection. Not yet for freeform text though who knows...

I'm confused, what would TLS do? The surveillance agencies can log an HTTPS URL as easily as an HTTP URL, they don't need to see the contents to see that you requested it.

Not true.

HTTPS encrypts the URL as well as the content of the communication. Someone surveilling the conversation with the ability to observe all network traffic but without the ability to decrypt SSL traffic would be able to tell that the end user had viewed something at a particular website (technically, at a particular server), but would NOT be able to tell WHICH article was viewed.

I wonder how much that actually gains for this specific case ("which article did IP $x view?"). With more effort, it should be fairly easy to match the traffic pattern to the article, e.g. by matching the size of subsequent requests for the images. But more complicated than a simple filter that just grabs all URLs from HTTP.

> With more effort

That's the new key point for 2017 pro-privacy architectures.

Proof of work surveillance doesn't scale because requiring it leverages the disparity between the total level of Internet traffic and intelligence agency resources.

Kill the dragnets as step 1, then worry about step 2.

It would be helpful to have a website to display a random image of differing sizes for every page load. This would prevent fingerprinting https.

Um, I don't believe that would help. You either inline the images as data, or better, get rid of all images and have random length non-printing text to hide the real data. This kills caching and performance though.

https://github.com/technion/mod_randpad (an Nginx module that injects padding as a comment into returned HTML documents) is likely the correct layer to add random padding; the performance hit would be negligible.

SD dev here. You might be interested to check out https://github.com/freedomofpress/fingerprint-securedrop (note: still in experimental stages). We're going to be using the framework/ ML pipeline to evaluate server-side defenses (e.g., https://petsymposium.org/2017/papers/issue2/paper54-2017-2-s...), and are also working w/ Tor dev Mike Perry who is working on a solution or set of solutions to the problems of website & circuit fingerprinting with regards to Tor at the protocol level.

Edit: What Mike is trying to implement is based on https://arxiv.org/pdf/1512.00524.pdf.

Could you as the host send out random extra bytes that make it hard to match up?

> at a particular website (technically, at a particular server)

You got it right the first time around, the parenthetical correction is wrong. The SNI is transmitted in plain text during the TLS handshake.

> but would NOT be able to tell WHICH article was viewed.

What about inspecting traffic pattern? I suspect that each article has different size.

I noticed some sites use a subdomain for securedrop. Does that reveal that they're visiting the securedrop page, or not?

Yes, both through DNS requests (although one maybe could somewhat mitigate that by having each visit to the main domain trigger requests to the subdomain, a) creating traffic and b) putting it in peoples' DNS caches) and HTTPS (All modern browsers include the domain via SNI).

It still might be a better choice, given that the main domain for many sites goes through CDNs and more complex systems in general, increasing the risk of compromise there (which also would expose network details about the submitter, and possibly even more)? A dedicated securedrop site hopefully has dedicated infrastructure and better security.

> Does that reveal that they're visiting the securedrop page, or not?

Potentially, if they're using TLS/SSL with SNI.

Just as true if they're using the real domain with a dedicated IP, right?

Nope, if they're not using SNI, you'd just see the IP address. Fire up Wireshark some time when you're browsing and watch what comes through.

> Nope, if they're not using SNI, you'd just see the IP address.

but that's my point... if you're not using SNI, there's only one SSL server on that IP address, and if reverse-DNS fails you, you can connect on port 443 and ask it for its certificate and it will give it to you...

Ok, so they'd only know that you visited a domain like this at a given time?


That still gives away a lot, many of these secure drop sites are on a subdomain.

I have a palo alto networks firewall with URL filtering.I can observe destination URL's on https sites without performing SSL decryption. please see eff website showing certain information that can be observed by onlookers[0] when you are using Tor or HTTPS or both

https encrypts the contents... not things like source/destination often only a destination IP address is required to get URL categories for many Proxy/URL filtering technologies.

[0] https://www.eff.org/pages/tor-and-https

If you go to https://example.com/some/directory?param=something, the firewall will only see a request to https://example.com. Everything else is encrypted. In this case, with SSL, a government agency not doing a MITM will only see https://www.niemanlab.org, and http://www.niemanlab.org/2017/01/how-easy-is-it-to-securely-... if they were doing a MITM.

You are confusing URLs with Domains. The only plaintext part of an SSL connection is the SNI, which is the domain.

They can log the domain you connected to, not the URL you visited

Although with most TLS implementations they will see the size of your transfers, thus still giving away which URL you visited....

Idea: HTTP server module that appends a minimal amount of hidden random garbage data (as a comment or similar) to each response so no two responses have the same fingerprint.

user btown answered that elsewhere here in this thread: "https://github.com/technion/mod_randpad (an Nginx module that injects padding as a comment into returned HTML documents) is likely the correct layer to add random padding; the performance hit would be negligible."

If this is the first (and only) time someone visited the domain around the time of a leak, it may be a little suspicious.

Then use public WiFi.

It's worse than just knowing the URL. HTTP pages can be altered without your knowledge by a malicious third party: http://security.stackexchange.com/a/72661

So a surveillance agency could e.g. replace the URLs for the various organizations' leaks landing pages and Tor addresses with phishing pages, and anyone who used them would upload documents directly to the agency.

No, HTTPS URLs are not logged in plain text as they are in HTTP. So it does make an important difference.

See: http://security.stackexchange.com/a/2916/50175

If you mean "logging" as in web server logs, then it completely depends on the configuration of the server and there is nothing the client can do about it..

If you mean "transferring over the network", then yes, HTTPS only shows the server you are connecting to, but not the specific URL.

Then again, that can be deduced from the transfer sizes that are still shown.

If they can't see the contents, they also can't see the URL -- both are encrypted.

Even the NYTimes has admitted the "omg gagged scientists!" line is standard operating procedure with new Administrations:

> “I’ve lived through many transitions, and I don’t think this is a story,” said a senior E.P.A. career official who spoke on the condition of anonymity because he was not authorized to speak to the news media on the matter. “I don’t think it’s fair to call it a gag order. This is standard practice. And the move with regard to the grants, when a new administration comes in, you run things by them before you update the website.”


Try to save some of your outrage for actual outrageous events.

But the administration has not earned the benefit of the doubt. The outrage is more directed at what Trump has promised to do (eliminate the EPA, or make drastic cuts, or halt its climate change activities), than what he has actually done so far. He has not earned the trust or respect for anyone to reasonably say "this is routine, I'm sure he won't do anything stupid".

You can't always stay silent until after something outrageous has happened. Some things are easier to prevent than to undo.

I am feeling the opposite. For awhile, I figured - This is kinda routine. Democrat, republican - action, counter - and then that "this week at the fed" floated around Facebook and it read like dire predictions of the future.

My expectation is increasingly "it is routine that he will do something stupid."

Well, sure, but in many cases you don't have to guess. The whole "take him seriously but not literally" was stupid, of course you should take him literally. Most of his actions so far have been the first steps of doing exactly what he said he would do, and they should be treated that way, even if in a vacuum they don't seem that bad.

And so this is how he gets to be so destructive, with the bar set so very low. Obama was a statesman, so people measured him against a high bar and often found him lacking. Trump is a buffoon (but who does know how to 'sell' amazingly well), and people are measuring him against a buffoon's bar.

Trump and his people have openly spoken and acted against the media. Also, IIRC, the prior Republican administration blocked scientists from speaking openly and had politicos edit all communications, while the Obama administration allowed the scientists to communicate unfiltered. One speculative statement from an anonymous EPA official doesn't offset that.

> Even the NYTimes has admitted

I'm not sure what that means. The Times has reported all sides of the spectrum. The broke the Hillary Clinton email server story, for example, and also Trump's tax returns.

It's quite common that employees cannot comment on behalf of their employers. EPA scientists are executive branch employees so their boss is Trump.

> However, one of the consequences of the election is that the new administration now controls what federal agencies say and what side of an issue they take in a debate about, for example, climate change or reproductive rights.

Ref: https://www.aclu.org/blog/speak-freely/government-employees-...

That justifies Trump's power to do it, but it doesn't make it good or acceptable. The President has the power to do many things that are wrong. Trump could order other employees to invade other countries and to kill and torture people.

> EPA scientists are executive branch employees so their boss is Trump.

And Trump's boss is the American people. Everyone in the executive branch and throughout the government reports to them, ultimately.

Not that it is normally allowed to have underlings spilling data and opinions everywhere, but scientists are special. Conservatives with equal skill go into engineering because that is a more reliable path to a comfortable income. That leaves science with a bias, and that bias is now in conflict with the leadership.

Allowing people to have unfiltered communication might be nice, but it doesn't count for much when you already know they mostly agree with you.

In case I missed it, was the Obama administration fine with employees expressing opinions that conflicted with Obama's views? That would count for something. For example: coast guard employees endorsing off-shore oil drilling, health and human services employees taking pro-life positions, border patrol agents supporting a wall, military generals opposing non-traditional gender in the military, department of education employees opposing evolution, department of labor employees praising right-to-work laws...

> was the Obama administration fine with employees expressing opinions that conflicted with Obama's views?

I saw it many times. For example, military officers did openly debate the gender issues before a decision was made (I don't know about after).

They were not allowed to support the A-10 or oppose the F-35.

Certainly there is always some of that around in any organization: Don't undermine your boss. Some bosses are more open or effective at that than others. The executive branch has well over a million employees, so everything you can imagine is probably going on somewhere all the time.

In those cases, I think those situations were local to Pentagon programs; they were not instructions from the White House; they weren't blanket gag orders for whole departments on every issue.

Did you read the Sunlight foundation post (link in the Nieman piece)? This isn't just about agencies talking to the media. Scientific publications were also restricted.

This x1000. Beware "outrage fatigue". It has only been a week and it's already exhausting.

I dunno, today's BBC had 'US may drop Russian sanctions in exchange for cooperation against terrorism' front and center.

Outrage exhaustion is easy to create, but it doesn't mean outrageous things aren't still outrageous.

I'm surprised we haven't reached Peak Outrage yet. Lots of outrage stamina.

I, for one, am using this as an excuse to teach everyone I can about encryption. So I'm willing to live with the faux outrage.

So why did you wait until now?

Because people would be more interested and receptive now?

Sites shouldn't be putting secure drops in a subdomain. DNS and TLS SNI expose domain names in plain text, so 3-letter agencies watching backbone traffic will immediately notice when "securedrop.example.com" is accessed.

Vice and Intercept made a better choice using a path on a their regular domain:

https://theintercept.com/securedrop/ https://news.vice.com/securedrop/

(SecureDrop developer here). Obviously we agree, using a SecureDrop-specific subdomain makes traffic analysis trivial. Our deployment best practices [0] warn folks not to use subdomains.

Sadly, since SecureDrop is decentralized, we cannot enforce this, and some organizations apparently find it very difficult to provision a separate path ("example.com/securedrop" instead of "securedrop.example.com"). for their SecureDrop landing page.

[0]: https://docs.securedrop.org/en/stable/deployment_practices.h...

What about provisioning other, non-securedrop stuff on that subdomain, and not calling it "securedrop"? Seems like that's better than nothing:

misc.mydomain.com/securedrop misc.mydomain.com/pacman-game misc.mydomain.com/portraits-of-frieda-kahlo

Ideally you'd leave it at the top level since obviously whatever other random junk you put on the subdomain will be lower-traffic than the main domain, but at least here there's plausible deniability (I was just clicking on an easter egg that played pac-man!)

So much more to opsec than using tor. I hope leakers are either ready to be unmasked, or have countermeasures against things like document fingerprinting.

This piece is so incredibly irresponsible. If someone uses this to leak truly important information, they should not be surprised to quickly receive knock on the door and a dark cell. There are many people in a position to leak things who are not involved in technology and may believe these steps as adequate for their protection.

I think that is overstating it. If you compare doing this to simply emailing en clair from a personal or work computer is it significantly more secure. If the leaker is already under close physical or technical surveillance there is very little they can do about it.

The additional risk is the assumption of protection. Someone who doesn't use this site and knows they are under watch may decide not to leak the information because they're aware of their risk. They could get a false sense of security from this site and leak information they otherwise wouldn't have, and are likely to be caught.

> This piece is so incredibly irresponsible.

Perhaps. Can you write a better one?

No I can't. But if I had wrote this piece I would slap an absolutely massive disclaimer at the top warning leakers-to-be that these steps alone are very far from properly protecting yourself.

Layers. It's all about layers. In this case, using Tails and Tor make it less likely, but not impossible, that the adversary will actually get their hands on the leaked document for analysis in the first place.

(In this case I would be more concerned about the SecureDrop application and the specific instances becoming too juicy a target for the counter-intel people. Once they decide to infiltrate something, they generally do after a while.)

Out of curiosity: How do you counter document fingerprinting?

If you have the chance to download documents from multiple accounts and IPs, then you can check if the documents are the same bit-for-bit.

If not then you can do some conversion routines, like pdf->(list of images)->merged to a single pdf again, and then you can compare the resulting documents from the different accounts.

Fingerprints can be visible, but not obvious, so printing and scanning back could leave them in.

I worked for a company that made a device back in the day. Many engineers had been issued one well before it was announced so that they could develop the software. Each device was carefully labeled with a sticker identifying whose device it was.

A picture of one showed up on a blog as a leak. The leaker had sensibly put a black box over the sticker.

The thing that neither the leaker nor any of the rest of us knew was that each device also had a series of bumps on the top and bottom of the device which uniquely identified it just as effectively as the sticker. He was fired instantly.

In fact the sticker was probably there as a red herring, to give false confidence to the leaker that he had countered the fingerprinting!

I wonder if dazzle patterns[1] on pre-release Xbox Ones had a similar function. If each pattern was unique, you could only hide it by obfuscating most of the device.

[1] http://uk.businessinsider.com/microsoft-xbox-one-leaked-to-a...

>If you have the chance to download documents from multiple accounts and IPs, then you can check if the documents are the same bit-for-bit.

Now imagine fingerprinting is done on the fly by your corporate proxy server.

I found analog loopholes are the most basic countermeasure to document fingerprinting.

Probably best if you recreate the document from scratch and "in your own words".

That's dangerous as well, because now your language can be analyzed and compared with other writings from you.

Just get hammered [0] before writing.

[0] - or sober, whatever is the opposite of your typical working state

Software like Anonymouth [1] can be used to counter attempts to perform stylometric analysis.

[1]: https://github.com/psal/anonymouth

Then you're sending a fake to the media.

The media will ask if the document is real and the organisation will correctly claim that the document is a fake (because you used your own words).

A lot of these techniques actually make verifying leaked documents very difficult.

In fact some of the faithfully rewritten "facts" may be small fictions designed to identify, couched in the real text. Rewording them still confers the fingerprinted meaning.

Use an automatic document processor written by someone else to paraphrase the text.

I imagine such a program already exists among top-shelf university student cheating service providers to defeat the academic plagiarism detectors.

(If not, write one, and sell it to leak sites and to cheating service providers. $$$)

AKA the "roll your own crypto" strategy.

I fail to see how using an existing tool if it exists, and writing it only if it does not qualifies as "roll your own crypto". Automatic paraphrasing would defeat the writing style analysis suggested by cousin post.

Printing and scanning would defeat fingerprint in the form of invisible Unicode whitespace and combining characters.

Retyping everything would be good.

No. No. NO.

That is only one type of fingerprinting used.

The actual process is inserting typos and slightly different phrasing in various places. So if someone leaks the entire document or copy/pastes from it or takes a picture or whatever, it's trackable.

And yes, I worked in that space for quite a while.

The main thing is to realize that a communication may have been crafted to identify its recipient, and to take precautions against that.

Connect to google translate over tor and get them to translate it french and back again perhaps?

Some stuff will survive that, like a proper noun that doesn't translate in either direction and is given a characteristic misspelling, possibly combined with other hints. Sentence order will survive too, as well as higher-level structure. There are so many places in a document that is several dozen kilobytes large to hide bits that it probably impossible to ever be sure you've scrubbed them. Especially since it won't take that many bits to identify the source. Hiding the bits doesn't even have to be done via clever textual manipulation; it is a standard part of the intelligence game to make up entire facts with no basis in reality and then see where they leak out, then trace back. No amount of cleverness will save you from that.

Then your evidence translates into gossip.

This strikes me as a clever idea :)

And how do you counter that?

There are technologies which are designed to survive print & scan. Specifically microdots[0].

Retyping is pretty good unless they sent everyone a slightly different version of the document or you retyped information which could identify you.

[0] https://en.wikipedia.org/wiki/Printer_steganography

How about maybe using a computer to extract all non-ASCII characters and output plain text instead of retyping everything?

Rewrite the document. Swap around chapters and sections, use your own words, TLDR some sections, remove/replace images, etc.

> use your own words

Not a good idea.

yes, the steps detailed in the post are likely not enough to evade being caught if a large intel agency is looking for a leaker. it very probably will be enough to prevent detection before the materials are published, but not necessarily afterwards when authorities start looking for a leaker.

Are there software vendors selling systems that make it easy to fingerprint documents? Are there any proven known cases of some administration branches using fingerprinting routinely?

How long until someone on the Trump side starts sending spam to all of these addresses?

They can't block it, but good luck finding real signal in millions of requests.

Or, more subtly, deliberately leaking easily discredited stuff. Once it gets published, it becomes a propaganda target. As a great example, consider how Dan Rather was taken down by https://en.wikipedia.org/wiki/Killian_documents_controversy. Planting a perfect smoking gun was enough to bring down Dan Rather and make the story of how Bush got his draft deferment toxic in the media.

The ultimate irony there is that the story that Dan Rather reported was actually true. It had all been reported in The Guardian by Greg Palast, and Dan Rather had started with access to his research. It didn't matter, planting perfect fraudulent documents managed to discredit it.

Why the Trump side? Did you not notice what the Obama side did to Manning and Snowden, just to name two leakers?

Because Trump is in power and has declared war on the media. Obama is not in power and hasn't. Therefore Trump supporters are the ones who have motivation to shut down and discredit this avenue of reaching the media.

And yes, I am perfectly aware of what Obama did to Manning and Snowden. I objected to that at the time, and still do.

One of the stupidities of overly polarized politics is that people assume that you must be on one side or the other. This would be a bad assumption to make about me.

"Obama is not in power and hasn't".

Hasn't is not correct. The Obama Administration was notoriously terrible towards the press. The below from an article published today: https://news.grabien.com/story-why-it-will-be-hard-trump-sur...

Obama Admin on Fox News: “We’re going to treat them the way we would treat an opponent,” said Anita Dunn, the White House communications director, in a telephone interview on Sunday. “As they are undertaking a war against Barack Obama and the White House, we don’t need to pretend that this is the way that legitimate news organizations behave.” http://www.nytimes.com/2009/10/12/business/media/12fox.html

The [Obama] administration sought to deny Fox News' participation in executive branch news-making events -- which only failed after other networks admirably refused to participate if Fox News were excluded. http://www.huffingtonpost.com/2009/10/23/white-houses-fox-ne...

James Rosen, reported accurate information about North Korea leaked by a member of the Obama State Department, Eric Holder ordered his movements to be tracked, his phone records seized, and went "judge shopping" until he found one willing to grant such a warrant without telling Rosen himself. Holder even told Google to not notify Rosen that the government was monitoring his email. https://www.washingtonpost.com/local/a-rare-peek-into-a-just...



The New York Times's James Risen was targeted for almost the entirety of Obama's two terms. His crime? Reporting accurate information the Obama Administration didn't want reported. "Along the way, we found out that the government had spied on virtually every aspect of James Risen’s digital life from phone calls, to emails, to credit card statements, bank records and more," https://freedom.press/news-advocacy/the-james-risen-case-and...

The Associated Press experienced similar surveillance. For two months, the Department of Justice tracked 20 AP reporters' calls, ostensibly over their reporting into a Libyan terrorist's failed plot. Why was reporting on a failed plot so threatening? The AP said it was because the administration wanted to announce the news itself. https://www.washingtonpost.com/politics/some-question-whethe...

Just pointing out that 'Hasn't' is not correct. Carry on...

Fair enough, but he didn't carry on a general war.

Obama waged a campaign against leakers. Most of what you refer to was tied to that. Related, see the fact that he used the Espionage Act more than everyone else. That phrasing is precise, Obama used it more than all other presidents combined.

He also faced a sustained propaganda campaign from Fox News. (The results of which were regular grist for Jon Stewart on The Daily Show.) He therefore treated them as an enemy.

This was unfortunate, but not really comparable to Trump's treating anyone who disagrees with obvious outright lies as an enemy. And Trump's declaring most of the media enemies, and issuing a variety of thinly veiled threats to them.

I wouldn't be surprised to see Obama's unfortunate espionage act record eclipsed as well... :-(

If you are going to downvote me, possibly give a reason.

At any rate, whatever. I am not going to be silenced by your keyboard

I second that.

Anyone who values reality should recognize detailed valid criticism for what it is, and support it. Especially if it is your position being criticized. Statements need to be judged by evidence of accuracy, and not agreement with your preconceptions.

A detailed post, offering correction and full of links and exact quotes should therefore be voted up, not down.

Obama (for the most part) went after National Security leakers, IIRC.

Trump seems to be going after any federal agency that does not pursue goals that he wants.

What are you talking about... serious question?

Seems as if what Trump has initiated is no different than previous administrations upon taking office [0]. Are you sure there's some clear break from past precedent?

[0] https://twitter.com/mtracey/status/825001424455077890

I am quite sure. Moves like https://www.washingtonpost.com/politics/whitehouse/epa-scien... to provide political review and censorship of scientific work is something that hasn't happened in this country since McCarthy was taken down.

Or take the reinstatement of the Holman rule. See https://www.washingtonpost.com/local/virginia-politics/house.... This rule allows politicians to target individual civil servants. This is again not business as normal. This rule was removed under Ronald Reagan in 1983. No administration since has sought its reinstatement. This again fits into the theme of creating "chilling effects" from partisan oversight of what is supposed to be a politically neutral organization.

For a third example, see http://www.salon.com/2017/01/10/please-dont-tell-us-the-trut.... The CBO is widely viewed as neutral, and has been kept that way for many years. It routinely provides estimates for every bill of what that bill's impacts are likely to be, including the estimates of the impact on our deficit. However House Republicans want to repeal the Affordable Care Act and do not wish to be embarrassed by estimates of how much removing some of its inflation limiting provisions will impact our federal deficit. So they are banning the CBO from calculating this number.

I can cite plenty of precedents for all of these actions. They are all before my birth, or in other countries. They are emphatically NOT business as usual in the modern USA.

To keep this in context the "National Security leakers" leaked data about the Orwellian surveillance state he created and journalists that were murdered by US armed forces.

Actually the Orwellian surveillance state was mostly created by Bush. Obama only inherited and expanded it. (And now Trump looks like he wants to USE it...)

Spam has already happened: https://github.com/freedomofpress/securedrop/issues/774

But it's just a matter of putting up enough of a roadblock to make it unappealing. CAPTCHAs are an easy fix to cut down on some noise.

CAPTCHAs aren't going to stop Trump supporters and aides from submitting spam.

This assumes that running easily discredited fakes would damage the credibility of future claims or the willingness of the media to report them. So far, that hasn't been true of negative claims about Trump.

>How long until someone on the Trump side starts sending spam to all of these addresses?


This reminds me of the Eldo Kim bomb threat:


I guess the guy was the only one on the network using tor, making him easy to identify.

So unless tor gets a huge userbase in DC, it seems like an encrypted url would be safer. (I don't know much about tor; am I wrong?) Everyone reads WaPo; no suspicion getting on that site.

But I think the main difficulty in becoming a leaker is that you have to hide your mental evolution as you decide to become a leaker. By expressing your dissatisfaction to your colleagues before you decide to leak, you make yourself a suspect post-leak. Leakers should be aware that traditional investigative mechanisms are very powerful, and even if the crypto is rock solid, it is still very likely they'll be caught. It's then a question of whether they are willing to 'take one for the team'.

SSH tunnel to a bitcoin paid server, connect from there. That's how the tool sending me threatening pictures of my house operated. Fortunately his opsec sucked and he scoped me out on LinkedIn with an account under the same pseudonym of Mr. "Dendler". One email to LinkedIn to make a backup of his account in case a subpoena was needed and he stoped immediately. Must have connected to them with a traceable means.

That seems pretty drastic (sending photos of your house). Mind if I ask why you were targeted?

For what it's worth when I was a young jerkoff in college I was spamming on some forums and pissed off a guy who later sent me my college address. I got his IP from the forum, tracked down his ISP, and messaged them and the FBI about it along with the threatening chat logs and never heard from him again. Not that I think they took real action, but it was some script kiddie I wanted to set straight with the threat of real consequences. This was back around 2004 or 2005 when things were a bit more loose in terms of encryption and privacy online.

An admin of HackerNews targeted me once because.... I posted a comment on a article that was later linked from here. Kept asking me what my boss would say when he talked to him on the phone. Except she was a woman and only took e mails.

The hard part isn't anonymously leaking the information. (You could do this with a $0.15 envelope and a stamp. Just remember not to put in your address as the return address and to wear gloves).

The hard part when you leak is that you are now in a set of people that knew the information. That usually boils things down to a handful or even one suspect. With US federal agents where in fact it is illegal to lie to them, they will have you in their office by lunch.

In this case, get a lawyer and don't answer any questions without them. Also, if you do leak a hard copy, print it at a public place and use a B&W printer. Color printers are relatively easily traced.

Are those tracking dots not microscopic? I would assume printer manufacturers also put them on black-and-white prints. Even if they don’t do it now, this is only a printer driver update away.

They are very small, but not microscopic. They are done in yellow ink, which is why they are very hard to see. If they were printed in black ink, I think you'd be able to spot them immediately, despite their small size.

> In this case, get a lawyer and don't answer any questions without them.

This advice is valid whether or not you leaked anything.

I assume you meant "with US federal agents". ;)

> Leakers shouldn’t use their work computers and should use public wifi, “like a Starbucks or at a hotel or anywhere where the Internet is open for public use.”

Lately there seem to be very few completely open wifi points. Most of them at least require some click through for agreeing to terms. Is there any risk involved here?

All of the ones with click thru terms of service are logging your MAC too.

My personal favorite open wifi service is the one on Amtrak, and you can buy a paper ticket with cash. Pretty anonymous.

Any AP knows your MAC, as that's the basis of how Ethernet works.

And there's nothing special about your MAC, changing your address is as easy as editing a single setting.

Yes thanks. The point is those click-thru landing pages work by temporarily whitelisting your MAC, which means they have a list of MACs somewhere. The MAC information needed by ordinary networks is ephemeral.

Even without click-throughs. Comcast Business routers keep a log of every MAC that's ever connected wirelessly. Granted I think it's a bug as it causes the MAC whitelisting page to take like a minute to load.

Even my Mikrotik at home logs MACs by default. The log is small and not persisted, but log entries definitely stick around a few days.

Don't count on your MAC not being logged.

And if the router itself isn't doing it, there are programs like arpwatch.

DHCP also works by recording your MAC (so that you can renew your IP, and another computer can't). Most DHCP servers write their lease files to disk. Most also log to disk. I wouldn't consider the absence of a captive portal to be a strong signal.

Changing your MAC address is possible on most operating systems, if you're at that level of paranoia.

If you where leaking a document that involved the NSA/GCHQ I'm not sure it would be paranoia or that there is a sufficient level of paranoia.

They aren't Godlike but I'll admit the Snowden revelations surprised me and I'd been following that stuff for years.

I wish Apple would extend the mac randomization for probe packets to normal operation (as an optional setting).


A journalist uses some apple computer. If its new, Tails won't be able to establish a network interface, so maybe there is a usb wifi dongle as well.

When entering boot mode (restart with option key pressed), in order to select Tails, wifi networks are shown.

You are suggesting that Apple is leaking the MAC address of the computer to all AP before Tails is even selected to boot from.

This suggests that any MAC address randomization the user intended to use for the built in computer wifi or the dongle via Tails will be partially defeated.

Many AP will log the original MAC immediately and one (the one chosen for wifi after Tails boots) will log the randomized Tails MAC.

Is this correct assumption?

EDIT: After rereading it sounds like you are saying they DO randomize probe packets and the scenario I describe above does not occur, NO MAC is leaked during Tails boot selection process on apple hardware.

Can anyone confirm this?

Does MAC address randomization apply to desktops/laptops? Google implies its iOS-only.

Not that I'd advocate something like this, because you could get some innocent homeowner in a bunch of trouble, but it generally doesn't take long to drive or walk around and find an unprotected access point on a personal router.

Also known was "wardriving".

Schneier has written about (and sort of advocates) being on the receiving end of this [0]:

   I spoke to several lawyers about this, and in their lawyerly way they outlined several other risks with leaving your network open.

   While none thought you could be successfully prosecuted just because someone else used your network to commit a crime, any investigation could be time-consuming and expensive.

[0] - https://www.schneier.com/blog/archives/2008/01/my_open_wirel...

Is this still true? I never notice open residential access points any more. The last few times I've set up new residential Internet service it has come with a Wifi router that has a password by default.

What would you define as completely open? I mean, the very act of leaking data is a risk; you're performing an act of civil disobedience, which while for the greater good is still likely to land you in some legal trouble if you get caught, depending on what you're leaking. I think breaking the ToS on an access point in starbucks or mcdonalds would probably be inconsequential overall, and any follow up litigation by the owner of the AP would probably just attract undesired hostile attention towards the owner.

I mean, mostly, open access APs are set-and-forget amenities. Most places don't even bother to change the default root login for the AP. I really don't think they're suddenly going to care about what someone uploaded from their AP; certainly I can envision law enforcement or federal agencies making a case out of it if it served their needs, but I doubt this is going to be high on their list.

He's not worrying about Terms of Service, but about being logged and traceable later on.

I had no idea all the major news sites had an .onion Secure Drop website. I wonder how many leaked news they receive per year.

They likely receive a lot of leaked news items a year.

However, the vast majority are either:

1. Completely fake, because someone on 4chan/Reddit/an internet forum/social media wanted to see how many journalists they could prank with false information.

2. Uninteresting or pointless to write about, since they don't describe newsworthy stories.

So the amount of actual, legitimate leaked news stories they receive a year is likely a lot less than the amount of stories they receive through these systems in total.

I'd also offer: 3. Somewhat interesting and likely legitimate, but doesn't support any narrative the editor(s) or owner(s) wish to promote.

There are media outlets all over the political space, so it's just a matter of dropping your stuff to the ones that are interested.

Yes, but since everyone is super-polarized these days and only listens to "news" outlets pushing narratives they already agree with, that means no one hears it who needs to. It's very hard to get a story to get widespread attention.

probably a lot but few are headline grabbers, afaik the biggest leak of last year was the Panama Papers and the guy didn't really use these Secure Drop links because he had like several TBs of information

Does Fox News or CNN accept leaks? I feel like having a secure way to accept leaks is a sign of a good news org.

Fr.a business standpoint, they'd be stupid not to. A good leak could mean an exclusive.

>"Leakers shouldn’t use their work computers and should use public wifi, “like a Starbucks or at a hotel or anywhere where the Internet is open for public use.”"

Hotels can normally link a computer on their network to a room number... Suggesting they use a hotel wifi isn't a good idea IMO (unless you are not actually a guest, and its just an open public wifi network).

Many hotels have open WiFi in their lobbies, for convenience.

If youre one of the vast minority of internet users happening to be using Tor this stands out like a sore thumb from any party monitoring network activity. Not to mention many of the direct nodes are possible to be your would-be adversary. I hope users of this approach understand the risks involved. Tor seems deceivingly plug-and-play to the less technical crowd

A few of these articles are suggesting that uploads be performed from public places (e.g., Starbucks) for the sake of anonymity/deniability. But it would seem that performing these actions in public would potentially reveal your identity, actions, and secret codename to any eyes or cameras around. As a question of general curiosity about anonymity, how does one weigh the benefits of using an open internet access point with the more literal visibility that using a public access point might entail?

When I wake my computer after a session of normal use and connect it to an open network, it immediately starts sending out messages to a bunch of different entities (google, dropbox, evernote, etc, etc) that can be rather easily traced back to that access point. IMHO this should be an even bigger concern than identifying a public wifi user through surveillance images, and it's a point that articles like this one routinely ignore, or gloss over:

> "Use as much caution and good sense as you can about distancing yourself from equipment and network locations you might be connected to."

Possibly an audience who has never heard of Tor before (the target for this piece) needs some more concrete advice about this than "use caution and good sense."

Hmm, yeah. The linked video from the Globe and Mail says to avoid surfing the web during the procedure, but avoiding explicitly going to Facebook and Twitter (their examples, IIRC) won't stop all identifiable network traffic from your device. I suppose that's where the suggestion of using a boot-from-USB OS might come in.

I consider myself to be quite savvy and I'd have zero confidence in my ability to reliably shut down all identifiable traffic, except by setting up a tool that blocks all traffic (like Little Snitch[1]) and then making an exception for Tor traffic.

And then there's the fact that most people's MAC addresses are ultimately tied to their identities in a way that a powerful actor could recover it without too much difficulty.

[1] https://news.ycombinator.com/item?id=13443858

A never-used $200 "burner" laptop might be a wise investment in this case.

Yes, purchased anonymously on craigslist for cash. And with a changed MAC address just in case.

This may be a dumb question, but why not just use the post office?

The Panama Papers were 11.5 million documents that were leaked all at once -- If a piece of paper is .1mm thick, that stack would be 1.15km tall. If a single piece of copy paper weighs 5 grams, double-sided printing 11.5 million documents would produce a stack that weighs almost 30 metric tons.

Point taken though, one of the bigger stories of the campaign was the billion dollar loss that Trump claimed on his taxes in the mid-1990s. That came to WaPo and NYtimes via USPS and just landed in their mailboxes.

Couldn't one take that many documents and throw them on a flash drive (or even a hard drive if it's on the order of terabytes) and mail that? I'm certainly no security expert but wouldn't the risk in terms of using the drive/files to identify you be about the same for mailed physical media compared to it being sent electronically, but with decreased risk of interception along the way?

CDs, DVDs, BluRay, flash drives, and hard drives are all mailable.

Panama Papers did in fact arrive on a HD IIRC.

One of the things the Intercept recommends as an option is to put your documents in a plain manila envelope, with no return address, and mail it from a public mailbox (not yours, not a post office). But the weakness of this is that they have no way to get back to you.

Would they need to get back to the sender? If so, they could always go the BTK route[0] and address the sender through the paper/website/show itself.

[0] The "BTK killer" asked in an anonymous letter to the police if they would be able to track him down if he sent subsequent letters on a floppy disk. The police took an ad out in the paper to tell him no, they couldn't, so he sent a disk. He wrote the letter in Microsoft Word and using metadata on the file they were able to track the killer down and arrest him.

That's OK for small batches of documents, but even an ordinary court fight between two small businesses can generate hundreds of thousands of pages during the discovery process. Several of my in-laws worked on electronic discovery for the SEC's litigation against Goldman Sachs following the financial crisis, that ran into tens of millions of documents that literally took a couple of years to organize.

Is using a PDF a good idea? I imagine that it'll contain loads of interesting metadata which might be related back to your computer at some later date.

Most formats are bad for this honestly. Most of the MS Office formats have lots of metadata.

Printing them to PDFs might actually do a decent job to strip that data. You might have to make sure your PDF printer doesn't add additional metadata though.

Of course, proving authenticity in such a case is a necessity too, no journalist wants to be responsible for publishing fake leaks.

I know there are companies embed digital fingerprints in all assets on their intranet. Basically the web server serves files with different fingerprints for each employee. These fingerprints can survive even resizing/processing/re-encoding. Company then will be able to track down the person who leaked it by simply looking at the leaked file.

I think it would be interesting for a member of Congress (or their staff) to operate a SecureDrop instance. Such a system might be a useful supplement to other forms of communication between federal officers and Congress (e.g. fax, interoffice, in person). Combined with 5 USC 7211, it might also have strong legal protection (IANAL).

I'm curious: Is any effort made in SecureDrop to detect or scrub identifiable headers or metadata from files? I understand the trust issue is generally with the source, but I could see an identity being leaked via a blob of metadata with a name in it.

How does site authentication work in Onion world? With those unrecognizable URLs, it seems like it'd be easy to set up a phishing site that leaks the whistleblower's identity.

.onion addresses are like a public key. The server needs to have a private key.

Vanity addresses, ones that have a name at the beginning, require some processing in order to find the right public key.

Who da thunk, this is blocked at my school


> 2009-2016: Dissent is racist

Dunno what you're talking about. Plenty of people on these forums have been strongly dissenting about the Obama administrations attitude toward a free and open internet, government surveillance, and drone policy.

I've never been accused of racism for dissenting against Obama or his administration.

The hypocrisy from the right was just a bit more blatant if I remember correctly.

2001-2008: Respect the President even if you disagree with him.

2009-2016: Obummer is a Kenyan Muslim dictator.

2017- : Respect the President even if you disagree with him.

New law - every computer / keyboard must now contain (already has??) a keylogger.


Side comment/question: Depending on your operating system, perhaps?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact