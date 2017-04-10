The $250,000 given represents the largest amount we’ve ever provided to an organization since launching the MOSS program. It will support the creation of the next version of SecureDrop, which will be easier to install, easier for journalists to use, and even more secure.
IMHO, given the rule that security must cost more to defeat than the target's value to the attacker (i.e., if you are protecting a $1 million secret, it must cost $5 million to defeat the security), I wonder if SecureDrop is feasible:
How much would it be worth to know leaks to the NY Times (and every other publication that uses it)? Some leaks turn into stories that move markets; their value is potentially billions of dollars. Some determine the fates of powerful individuals, organizations, political movements, and nations; their value is existential to attackers. Can that really be secured? Doesn't it seem likely that state intelligence agencies will dedicate the resources necessary to hack SecureDrop? Based on that reasoning, $250K is a drop in the bucket. Perhaps the news agencies would be better off posting a webpage advising informants to mail encrypted USB drives, or leave them at dead drops.
There's a broader issue: What is the chance that the NY Times', and similar publications', internal systems aren't already penetrated and monitored? Based on the reasoning above, that also seems very unlikely.
