Hacker News new | past | comments | ask | show | jobs | submit login
The New Yorker Strongbox (newyorker.com)
583 points by danso on May 15, 2013 | hide | past | web | favorite | 164 comments

I was discussing with a colleague whether tor is still trustworthy these days: running exit nodes without ending up in jail or thrown out by your ISP becomes more and more difficult (if it's not impossible already). Also tor still gets a lot if bad press as being nothing but a medium for child porn consumers to hide their tracks.

As such I wonder whether there are exit nodes (or even just plain nodes) left that are not being run by governments as honeypots?

How can you be sure that the data you are submitting is not intercepted? How can I be sure that all my traffic is not running through one government network (because all tor nodes still left are compromised)? How can I be sure that I'm actually submitting my information to the New Yorker in this case as opposed to a government server posing as them?

The announcement page linked is not being served over SSL and the onion URL given isn't using ssl either (as if any ca would sign a cert for that domain, but if the linked page was served over SSL they could publish a fingerprint there)

If I had important information to leak, I would probably still have an otherwise uninvolved colleague drop by in person to dump the data for that one (and only one) time. If I had a friend willing to take the risk.

Or if there was an EV signed page of the New Yorker listing an SSL fingerprint of a certificate that's used by that tor server, then maybe I could live with the fact that tor is likely compromised.

Then again, maybe I'm just a paranoid coward. I'm so glad I don't have access to information anybody would be interested in.

Tor over Tor Hidden Services does not go in plaintext and it does not matter if exit nodes are being sniffed, because you never leave the Tor network.

That is SSL is not a problem for you, because the URL is self authenticating. This is especially useful if you have a newspaper, because you can print the address on the paper and not have to worry about CA and this kind of stuff.

Worth looking at is probably also GlobaLeaks (https://globaleaks.org/) that is a system that also uses Tor HS. This system is more actively developed and is designed to be extendable.

We are also happy to say that just last week we released the 0.2 release of GlobaLeaks. You can see a live demo on our site: https://globaleaks.org/.

On the other hand, the page telling you what the Hidden Service URL is does go across the Internet as plaintext and can be modified to contain a malicious URL by exit nodes if you view it via Tor, which you'd probably want to.

Well, the government can connect the onion URI to the new yorker. Would it be feasible to use domestic warrants to identify the server? I'm not sure as to what end as it would still be end-to-end encrypted.

That's fine, the anonymity works both ways. You can't access an .onion without using tor, and in this way, use of tor prevents the .onion service from knowing who you are.

Contrast The Silk Road, where the .onion is being used primarily to protect the identity of the service itself (as most of the users give their physical addresses to the service).

Both are hidden services. One is privacy for the client, one is privacy for the server.

If you are relying on Tor exit nodes being trustworthy, then you are using Tor incorrectly. All Tor does is anonymize your traffic, it makes no guarantees once it leaves the network.

Either make sure you are using end-to-end encryption or only use Tor for information you don't mind being public.

My premise is that based on the data I'm submitting, it might be possible to deduce my identity.

And it's certainly easy for trained government agents to to trick me into releasing too much information about myself when they pose as New Yorker reporters based on the information I just sent them.

If I'm submitting my data to the government posing as the New Yorker I'm exposing myself to much more risk than if I'm submitting my data to the New Yorker, provided I trust them. That's why I'm insisting on that onion link being displayed on a page that's EV signed. Because right now I have no guarantee that their http://tnysbtbxsf356hiy.onion link is actually the address of their drop box and not the honeypot the government has set up and put on a fake New Yorker page which they MITMd me.

But that's not an exit node. Yes, any .onion address that you don't personally verify[1] could be something other than it seems. In fact, with sufficient resources, that onion link could be rewritten in transit once it hits the backbone or your last mile provider. How would we know if it's arsta8rst87ars.onion[2] vs. dndspjsnbshsdrsts.onion?

[1] And even then...

[2] Yes, Colemak

Apparently it can't be rewritten, the address itself is a hash to a server key. That's why it's gibberish and not newyorkerdrop.onion

That's not what I mean.

On that page (http://www.newyorker.com/strongbox/, no SSL, no hashing, etc.) is an onion link. I see it as http://tnysbtbxsf356hiy.onion.

An adversary with sufficient access (whether to the server, or to the network between the New Yorker site and your browser) can rewrite that link without your ever knowing. Then you are legitimately directing your browser, once on Tor, to a spoofed site.

True, but you can bookmark it, and compare it against the one used by others. They're also short - you can write them down and communicate them offline.

To compare, ssh uses no PKI, but is relatively resistant to MITM as it stores public key fingerprints for a given service on first access.

bookmark...others...offline. Be more paranoid.

Yes, what if someone MiTM's your offline communication... /s

If the Feds (or whoever) were swapping out this address at a large scale, then the NYTs would notice and communicate to the public that this was happening. If the NYT was muzzled and every computer that you or anyone you know has it's connection being tampered with, then you are basically fucked anyway and this is the least of your concerns. At this level of paranoia you shouldn't be trusting the NYT anyway...

If they are not MiTM'ing this at a large scale, then quick verifications on other networks with other peoples' computers will work just fine.

Let's take a simple example. A soldier deployed overseas sees this link, sets up Tor, and sends some confidential information that includes evidence that the US government is up to some shenanigans.

After Manning and some other fun, the military is not really a fan of this happening, but realizes that it would provide an excellent way to identify seditious elements who don't have other channels to work out their moral dilemmas (or just their annoyance at being an expendable cog in the bureaucracy).

MilInTheMiddle proxy rewrites the page, replaces just that link with one that is under their control, then waits. People outside the military see the normal link, but a kid in Iraqistan sees the honeypot. When s/he sends secrets to the New Yorker (it's not even the NYT), the operator has a lead not only on what information may be flowing to the media, but is able to stop it and investigate the sender.

The same case could be made for financial institutions, government agencies, people in foreign countries with national firewalls, etc.

The only reason I'm not particularly concerned about this is that I strongly suspect that a) the organizations don't really have their sh*t together enough to do this in a fashion that wouldn't create immense blowback when (not if) discovered, and b) there are easier methods to get similar information already in place.

That scenario is what "offline" is for. That soldier could call up his mum and ask her to read off the link over the phone. There is no way that anything but an utterly game-changing surveillance and censorship system is going to MiTM that in time. Or he could give some local kid a candy bar to look it up at an internet cafe, or hold onto the data until more alternative communication channels open up for him. If this soldier's communication is blacked out to the point that he cannot ask anyone else to verify the link using an internet connection other than his own, then it probably isn't safe for him to be attempting whatever it is that he is doing in the first place.

It's not blacked out. It's subtly and near-undetectably changed. Who says the soldier is tech-savvy enough to know to talk on an alternate secure backchannel because s/he can't trust the same Internet that has fantasy football and funny videos on YouTube?

Let's reduce this even further. The New Yorker has put up a webpage saying,"Send your secrets here!" Pretend they put up a phone number instead. 1-800-231-2142. The military phone switching system can either automatically redirect calls to that number to a switchboard of impersonators, or they could change the number to one they already have, so that they can also capture military assets using personal phones, mobiles, etc.

The New Yorker page does not give any information about "offline" validation. They give a pointer to a supposedly secure dropbox. That dropbox may actually be secure, but there are a number of ways to subvert it.

Any information that they gave about offline validation could just be stripped out though! What exactly are you proposing that they do that could not be subverted by the very things you are concerned about?

Offline verification would work, but if we are assuming extensive MiTMing and meatspace impersonation then offline verification is just something the whistleblower needs to figure out themselves.

If we assume the adversary controls all network traffic as well as all Tor exit nodes but the would-be whistleblowers and the New Yorker's systems are out of bounds, a valid solution is still possible:

- The plainly accessible page needs to be served through HTTPS, preferably secured with an EV-SSL cert. The adversary would then be unable to read or change any of the site's content; i.e. the whistleblower receives the correct onion link.

- The onion site, too, needs to be served through HTTPS. All traffic passing through Tor is encrypted and thus out of reach of the adversary; traffic leaving Tor for the destination site is encrypted yet again and out of reach as well.

Since few CAs would accept to sign certificates for a .onion domain, that site might have to use a self-signed certificate. This solution remains secure for as long as that certificate's fingerprint is posted on the first page and the whistleblower cross-checks the expected and actual fingerprint values.

This should provide reasonable security for the exchanged message contents. In all likelihood, though, the adversary would be able to prove the whistleblower did communicate with the New Yorker.

One high-risk aspect of this whole deal is a possible breach at any of the whistleblower's trusted CAs. Convergence would be of some help there -- assuming the notaries involved are behaving correctly.

*edit: Sorry, I had a bit of a brain fart right there. Traffic to and from the hidden service (the .onion domain) never leave the Tor network and thus remain secure. Skip the second bullet point.

You're extrapolating things I haven't said. It is well known that signal interception (and communications interception in general) has been a tool used by the military and the government for as long as any of the above have existed.[1]

"offline verification is just something the whistleblower needs to figure out themselves."

You are seeing the point, albeit as if through a glass, darkly. The New Yorker has not advised anyone of this need, nor have they communicated the additional safeguards one much take, proportional to the risk of interception and identification.

[1] http://en.wikipedia.org/wiki/ECHELON, https://www.eff.org/cases/nsa-multi-district-litigation, black ops, http://en.wikipedia.org/wiki/File:Aldrich_Ames_mailbox.jpg, http://web.archive.org/web/20060210092316/http://www.liberty..., http://books.google.com/books?id=mAR0GI5ggf8C&pg=PA62#v=..., http://www.archives.gov/research/holocaust/finding-aid/civil..., http://www.britannica.com/EBchecked/topic/635080/Sir-Francis..., &c.

In cases where offline communication would catch tampering, why would the New Yorker's advisement to use offline communication go through untampered?

You seem to be misunderstanding me. I think that there is value to offline communication with trusted but unanticipated 3rd parties, but I do not think that there is value to the New Yorker pointing this out.

If the whole thing is legit and they made a page about it, they should notice when they lose control over how that page is displayed in various locations. It could be acceptance tested via many proxies. Maybe a counter-interference phishing bot could send emails and fills forms to make sure they go through correctly. Self-safety audits like that could be built into Tor itself so that these "red blood cell"-like bots are themselves distributed processes (maybe only as pre-installed plugins in the full featured Tor browsers).

Unless the Tor site is a honeypot. Hmm a bit odd they don't have any offline validation instructions on there ;)

I guess the downloaded source code could always be diffed with a known legit copy, if it was compiled on a trusted machine.

By the way, how does one determine the right amount of paranoia?

The first response to this thread helped me understand the issues better: http://www.wilderssecurity.com/showthread.php?t=228869

I get what you are saying, but that issue has almost nothing to do with Tor. Tor doesn't ensure the secrecy of your content, it only attempts to hide its origin.

If you don't trust the recipient then it doesn't matter if Tor is run by the government or not.

You could put on a disguise and use an open wifi access point in a city you've never been to before and bounce through 50 levels of proxy at the same time. If you tell the other person your name, it's not the technologies fault that you're no longer anonymous.

Bingo. Or you send documents that are traceable to a small group of people, including you, and everyone else has protection and/or an alibi. General, General, Colonel, Colonel, Short Bird, Corporal...wait a second.

My premise is that based on the data I'm submitting, it might be possible to deduce my identity.

I think the goal of Strongbox is to protect sources in the event that the New Yorker is forced to turn over material to the government. What they never knew, they can't turn over, but that doesn't apply to the information you leak. The government will be able to get at that information because writers will have to keep it for reference while they're writing and fact-checking their articles.

> Then again, maybe I'm just a paranoid coward. I'm so glad I don't have access to information anybody would be interested in.

I agree with everything else you're saying, but I should just point out one thing:

It doesn't matter whether or not anybody is interested in your information - especially in this era of en-masse passive data collection, you have the right to your own data, which includes the right not to be snooped on by third parties (governmental or otherwise).

It doesn't matter whether or not you "have anything to hide", only whether you have anything you want [voluntarily] to show.


Honestly, it's great that you're passionate about the issue, but that doesn't a logical argument make. Privacy is an intuitive concept, but it translates surprisingly poorly to reality. That's not to say privacy doesn't exist or isn't important, but that we don't actually know what it is.

Intuition makes for bad law, not least because everyone has different intuitions; it's basically asking, "Why don't programmers just program in English?"

Thankfully, my kids are learning Lisp before English, so at least that let them program more intuitively.

(Kidding: ... if only I could. My son doesn't seem interested in it.)

I think "privacy as a right" is a difficult issue.

I am down with "not getting tortured" as a right. But privacy is ... a privative. I think a more useful and fruitful direction will be requiring publication of holding of private data, and then we can enforce any number of outcomes.

Do we actually have the right to our own data in America? Or are you just saying we should have the right?

It depends on whether you want someone to grant you rights, in which case, they're privileges.

I think you're misreading. "I don't have access to information anybody would be interested in" doesn't mean "I have nothing to hide." It means "I have nothing to leak."

I agree with the general statement, though.

> How can you be sure that the data you are submitting is not intercepted? How can I be sure that all my traffic is not running through one government network (because all tor nodes still left are compromised)? How can I be sure that I'm actually submitting my information to the New Yorker in this case as opposed to a government server posing as them?

even if this were the case, how could you be personally identified? worst case is the government gets the document you meant for the new yorker, but you still wouldn't be identifiable (unless your name was on the document etc.). Unless you're saying the government runs the majority of tor nodes so they could track back to your ip?

Your confusing the issues of anonymization and eavesdropping. Tor exit nodes can eavesdrop on unencrypted Tor traffic, so you should always use end-to-end encryption if that is a concern. Tor Hidden Services don't need SSL because the protocol is end-to-end encrypted. Authentication is provided by the onion address itself, which is a fingerprint of the server's key.

Their website says that their hidden service is available at http://tnysbtbxsf356hiy.onion. But how do I know that I am on their website? How do I know it's not the compromised tor exit node that's serving me a modified New Yorker page that is just pretending that the hidden service is at http://tnysbtbxsf356hiy.onion when in fact it is at http://tnysbtbxsf356hjy.onion

The data I'm sending can be a huge give-away of my identity - especially if they play along, pretending to be the new yorker and then tricking me into releasing more information than I wanted.

If that page that's linking to the hidden service was served over SSL with an EV certificate, then I could be sure that the link isn't faked. Of course the New Yorker could still be compromised by the government, but as long as I'm willing to trust them, I can at least be sure that I just submitted my data to them and not somebody pretending to be them.

If that page that's linking to the hidden service was served over SSL with an EV certificate, then I could be sure that the link isn't faked. Of course the New Yorker could still be compromised

The New Yorker or any CA capable of issuing EV certificates present in your browser. Do you trust all of them?

Hopefully not, given that just yesterday there was a post on how the Saudis were planning on using CAs as an attack vector...

Good point. At some point, you'll need to communicate the onion address over a trusted channel. If you trust SSL, then you can serve the landing page over HTTPS, or as others have suggested, you could print the address in the New Yorker itself. I have also heard of using Namecoin or other proof of work schemes, although that would be outside the reach of the average user.

If neither of these avenues satisfy, a simple idea for defense-in-depth I've thought of is using .onion vanity name generators (see https://github.com/katmagic/Shallot) as a very simple proof of work scheme. For example, silk road's .onion starts with silkroad. Finding such an .onion address for a given private key requires brute force computation - according to the Shallot github, about 25 days. Therefore, generating an .onion with a recognizable string at the beginning makes generating a suitable address for spoofing that much harder. Of course, this is hardly a solution - big scary Tor-style adversaries certainly have more computing power than you - but it is something to consider.

Someone mentioned this somewhere else, but the beauty for print news organizations is that they can print the address physically in their paper.

> How can you be sure that the data you are submitting is not intercepted?

Tor is not meant to guarantee that your messages are not being intercepted. It is simply not meant to protect against this. Use end-to-end encryption. (Does strongbox use encryption on top of tor? I am not sure).

> How can I be sure that all my traffic is not running through one government network (because all tor nodes still left are compromised)?

That is the more pertinent question, indeed. That's the correct question about Tor security, and would be what woudl cause Tor to fail at what it does intend to do. There are some written analyses of this risk.

> How can I be sure that I'm actually submitting my information to the New Yorker in this case as opposed to a government server posing as them?

Tor isn't necceasrily meant to guarantee that either, an SSL cert with a known/trusted fingerprint would be. But you're right the new yorker is not doing the right things here either.

I am less worried about the integrity of Tor, but I think you are right that the new yorker is not doing all the right things to maximize security/anonymity here. Security is hard. But among other things, they ought to be serving all strongbox related things (including the endpoint you access over Tor) over https, and publishing their SSL cert fingerprint in multiple places all over the net.

> How can you be sure that the data you are submitting is not intercepted?


Hidden services can't / don't need HTTPS because they never leave the Tor network and are authenticated by the URL itslef.

Yep, I'm aware of that. He was specifically referring to exit nodes.

It would be nice if some of the companies who control a lot of bandwidth would dedicate even a few Gbps to the cause. Google comes to mind, it's in their interest for Tor to be fast and secure so that users in countries with internet restrictions can use Google (China/Iran/Syria all come to mind).

The problem with any one company controlling a large portion of the Tor network is that it would open up the network to a few new classes of attacks.

Multiple companies have the bandwidth.

I wonder though, would anybody actually use evidence gathered from Tor in that manner? That would mean revealing that they can feasibly do it and they'd lose a huge intelligence asset.

They'd get to see the information, but they wouldn't be able to action it without showing their hand.

I'm sure they have channels for information laundering. Example: they present the Tor evidence to one of their classified courts, get a sealed warrant to wiretap your house, and then re-collect the information from a bug they plant directly on your computer. Or they could just watch you closely until you screw up. Or they could honeypot you.

> the onion URL given isn't using ssl either

doesn't need that hacky ssl stuff, it's end-to-end encrypted within the tor network. http://security.stackexchange.com/questions/11727/does-tor-h...

they could print the onion url in their newspaper even, if you don't trust your connection to the announcement. But yeah at sone point there is always some trust involved.

As a Tor Exit Node Operator, I can say that not all of the nodes are compromised.

I'm not surprised to see this coming from The New Yorker.

I've all but given up on quality journalism from most "newspapers," but long-form investigative articles from The New Yorker and Vanity Fair (yes, of all places!) always keep my faith in humanity. Less-lengthy but usually well-researched articles from Mother Jones and Harper's are also up there.

Other sources that sometimes do an awesome job but other days leave you scratching your head would be NPR, The Atlantic (less investigative journalism, but awesome write-ups), The New York Times (covering everything from tabloid trash to 20-page quality journalism spreads), and The Seattle Times (likewise, but less crappy and less awesome at both extremes).

If you haven't already, check out The Economist. They have a strong, clear ideological bias, but the writing is excellent and it's one of the very few places to get any sort of news in English about parts of the world that The Times ignores.

I have been a subscriber to the Economist for, woah, 11 years now. Simply by virtue of its weekly format, it does a good job of ignoring a lot of the interesting-but-transient stuff that wastes your time if you read regular news online. It also has great breadth of coverage -- it's easy to get parochial when you read online news, especially tech, and the E is a reminder that the rest of the world exists and that important things are happening in it.

However, the breadth seems to often come at the expense of depth -- on the occasional chances I get to discuss an article in the Economist with an actual expert in that field, it seems their analysis is often dismissed as superficial and they not-infrequently get basic facts wrong (their letters section often contains quite substantial corrections).

I generally read the Economist by means of their website, and its quite interesting to read the comments on articles; they usually fill in the gaps of the articles or point out errors (especially in the case of articles focused on a single country, which if flawed will bring out the nationals in force.)

I'm (usually) a fan, but I hesitated to group it with the others because it's rarely journalism and more often (usually deep and insightful) analysis of events.

If you just news on the parts of the world that American media ignores, a combination of BBC News and AlJazeera English is a good option.

I mostly think so as well, though poor quality of analysis in couple of areas I had direct experience with has made me doubt the quality of analysis of in other areas as well.

Once you notice how bad The Economist is in your particular area of expertise (whatever that may be), you realize that it's just Newsweek for people who don't want to admit they read Newsweek.

I thought this was the case, and bought an electronic subscription a year or so ago. As you say, good International coverage, but the writing was shockingly bad in many cases - technically incorrect and sloppy. I cancelled.

I sometimes feel that way about the science reporting. The other stuff is top-notch, IMO. Or do you mean like grammatically incorrect?

The OP was praising Mother Jones for FSM's sake. I'm pretty sure he's fine with ideological biases.

>Vanity Fair (yes, of all places!)

Vanity Fair had Christopher Hitchens as a contributing editor for a long time.

I'd say that alone gives them some journalistic credibility.

Seriously. I'm always baffled by statements like, "Vanity Fair is actually really good!" Yes, they do good reporting. They also cover fashion and lifestyles very well too.

Claiming that fashion and entertainment don't matter is a meme amongst some people who long to be seen as intellectually superior.

Hitchens is the guy who claimed the Viet Cong/NLF never used car bombs, right? Saddam was working with AQ all along? And lots of other bullshit? No, he was a disgrace, and that rag's association with him does not reflect well on them.

claimed the Viet Cong/NLF never used car bombs, right?

No, that's not what he claimed. He claimed they didn't use car bombs "on American or any other foreign soil," which doesn't negate the use of such bombs on Vietnamese soil.

I don't have strong feelings for or against Hitchens, by the way.

Yup, Vanity Fair is a good magazine in spite of Chris Hitchens, not because of him.

Those two and the Atlantic is what I have subscriptions for right now. VF is kind of iffy, though. My wife and daughters make fun of me for having the subscription but every two or three issues there's something really good in the back. And it always smells good, if you have the paper subscription.

It is minor in comparison, but the writing is impeccable too. While the New York Times' copy-editing and style guide enforcement have been in free fall for decades, the New Yorker remains a great resource for well crafted standard written English. I often recommend it to friends who have English as a second language and are trying to improve their writing. I do warn them about the diaeresis though.

Mother Jones & ProPublica belong in that list, too.

The New York Review of Books is excellent too.

FYI, "Strongbox" is a fork for the open source project that Aaron coded, which is called "DeadDrop"...it was down because Github pages was recently down, but back up now: http://deaddrop.github.io/

The repo contains this thorough Threat Model/theory guide: https://github.com/deaddrop/DeadDropDocs/blob/master/THREAT_...

It not a fork, it's the first production use since DeadDrop was discussed with/instigated by New Yorker journos.

In fact, there's a shoot-out and link to DeadDrop in the page's introduction. Not sure why you thought an FYI was necessary...

I came across StrongBox in this blog post, in which DeadDrop was mentioned but the repo not linked to:


In the OP, "DeadDrop" is listed prominently but not as text...so when I came to the page, my first instinct was to do a Find for "deaddrop" to see if the repo was there, which comes up empty of course.

Without reading the Aaron Swartz post, I would've assumed "DeadDrop" was an existing service because of the brandlogo, and not a link to the open source repo.

Note: I'm not saying there's anything wrong with how it's done, I'm just pointing out my thought process: Anyone who comes to the OP without having read the Aaron Swartz post would not know of the open-source project underneath it (though it isn't a fork, so my mistake) and may not click through the "DeadDrop" logo. People who have read the Swartz post may be like me, wondering where the Github code is, as it is not linked to in the Swartz post.

Just trying to make the project more visible for those of us less skilled at sussing out HTML. No fault of the New Yorker's...both posts are aimed at different audiences (though the Swartz post should probably just include a link straight to DeadDrop for convenience's sake)

well, I for one was glad to see the threat model link.

This comment is somewhat parenthetical, but one thing I am glad to see is that the cyberpunk/cypherpunk spirit that was so influential in the early days of the Internet has carried on over into today. There are areas -- important ones -- where anonymity and cryptography are necessary tools in addressing various wrongs, regardless of the objections of the state. That a mainstream journalism organization like The New Yorker has recognized this, and has found it important enough to implement a technical means of addressing, shows that the work of pioneers like Zimmerman, Assange, Schwartz, and many others have been fruitful over the long term.

I... just realized that I know so many Zimmermans that I don't know which one you're referring to offhand.

Probably the inventor of PGP: https://en.wikipedia.org/wiki/Phil_Zimmermann

Might be useful to serve that page over https so the .onion address it contains can't be changed by a man in the middle.

Agree. I think they should be using HTTPs, HSTS etc for this page.

Github Pages, to my knowledge, doesn't support HTTPS. They'd have to move it.


That doesn't help if you're talking securely to the wrong address.

The parent was saying that the onion address could be changed. Did you even read what they wrote?

[edit] because the original poster deleted their post, it said something like: that's pointless, because tor ensures that communication is secure [/edit]

This is amazing because it's endorsed by a major mainstream news organization. A good point when arguing with those that defend that Tor is only meant for terrorism, child pornography and illegal activities.

  | Tor is only meant for
Tor was developed by the US Navy so that people in oppressive regimes could have secure communications, though I guess that could qualify as 'illegal activities' under the laws of said regimes...

It's great to see a reputable organization finding use for Tor and online anonymity. Innovative, advantage gaining move in a not so innovative industry.

In the past decade, the New Yorker has been the only news organization (aside from Wikileaks) doing significant investigative journalism.

NPR is great, but never questions the legitimacy of the US Government.


B/c few entities have the ability to do it. The public relies upon the press to act as a check against government power and corruption. This is why we have the 1st amendment.

The cozy relationship between the press and government rots away at the foundations of freedom and democracy. It is a moral duty of the press to expose corruption at all levels.

Notably, the NY Times (one of the few papers with the reach and scale to do meaningful investigation of US Government corruption) has written a variety of slander pieces about Julian Assange, strangely deciding to pick sides. The paper had the ability to act as a responsible intermediary between the leaked data and the public, but instead chose to flagrantly side with government power.

...This is a more subtle form of the same arrogant jingoism (and American flag pin wearing foolishness) of Fox News reporters.

I admire their excellent investigative work, but they're certainly not the only one. Just three days ago the New York Times published a fascinating article [0] about a crooked Brooklyn detective who, with the collusion of Elizabeth Holtzman's AG office, put probably dozens of innocent people in prison for murder. These cases are getting reviewed and the victims released after years in jail, partly due to the Times' investigation. This is just a recent example.

[0] http://www.nytimes.com/2013/05/12/nyregion/doubts-about-dete...

This is just blatantly untrue. Take a look at Pulitzer Prizes for Investigative Journalism since 2003 (http://www.pulitzer.org/bycat/Investigative-Reporting):

* The New York Times

* The Blade (Toledo, OH)

* Willamette Week (Portland, OR)

* The Washington Post

* The Birmingham (AL) News

* The Chicago Tribune

* The New York Times

* The New York Times

* ProPublica

* Philadelphia Daily News

* Sarasota Herald Tribune

* The Seattle Times

* The Associated Press

* The New York Times

If that's not a diverse group of news organizations, I don't know what it.

That also doesn't include things like the Walter Reed Army Medical center scandal (http://en.wikipedia.org/wiki/Walter_Reed_Army_Medical_Center...), because it falls under the Public Service category: http://www.pulitzer.org/bycat/Public-Service.

How many of those stories would cause the reader to question core assumptions about the legitimacy of the US Government?

Corporate, local, and state-level corruption are all small potatoes fare that is used (along with sensational stories with little actually news content) as a tool to help the orgs pretend to be doing real journalism.

Notably, the NY Times was complicit in the propaganda effort to overthrow Saddam Hussein.

Let me get this straight.

Any investigative journalism that does not directly address what you believe to the most important topic (the legitimacy of the US government) is automatically not actual investigative journalism. Not only that, anything that does not address your favorite championed cause is automatically "small potatoes" that is in fact part of the conspiracy for journalists all over the country to fool everyone into believing real journalism is occurring.

Are you seriously leveling this claim?

In other news, all sci-fi TV shows are in fact not actual sci-fi TV shows because they aren't Firefly.

When he first took office, George W. Bush thinned the herd of the White House press core. He broke the tradition of seasoned reporters getting access and replaced it with selective access based on his personal like/dislike of individual reporters.

This has had a chilling effect on de-facto press freedom in DC. In the meantime we've seen utterly shocking things go largely unreported b/c topics are generally verboten and the press instead focuses on less consequential issues.

In comparison to the stuff that is not getting significant press, the smaller stuff is largely irrelevant to the lives of most Americans.

There are great reporters who write about everything from local sports to local corporate corruption, but the high quality of their work should not shield the major players from accountability for utterly failing in their major moral and professional duty.

Almost true but not quite. Both Harper's and Mother Jones can generally be counted upon to rake a little muck.

There was a fantastic article from Mother Jones yesterday exposing how terrible America's prisons are, and in fact MJ shows up here about once a month or so, it seems.

You're talking about "in North America", right?


Tne Stranger? Seattle Times?

This thread - of smart people - shows a little bit of confusion over the difference between anonymous and secret.

That's kind of scary when we think about the reasons someone might be sending stuff to a newspaper, and the need that have to be anonymous. Secret would probably be good too. At least until the newspaper prints.

Newspapers are supposed to explain stuff to their audience. This article doesn't explain much. Like the saying goes, when I see how badly they do with stuff I know about I have to wonder about everything else too.

Nice. I have to say this is the best approach to "wikileaks"-style journalism since wikileaks itself imploded. Now here's hoping they have what it takes to publish what lands in their inbox, even when the US Govt objects...

It's a sad day when a US based publication is leading the charge to protect its sources to ensure the vitality of the freedom of the press. I had expected this in an authoritarian regime, not here.

In a real authoritarian regime this page would not have existed at all due to government pressure (or would have been a honeypot for government). Such regimes generally work through the double whammy of threat of action (legal or thug-based, e.g. in Russia) to the actual reporters who uncover dirt and subtler threats/coercions to their bosses, the latter of which leads to self-censorship and is much preferred. A recent example of the second approach is the suppression of news about the bombing in Reyhanli in the Turkish press.

I considered the same argument you are making before posting my comment. However, for this to have happened in USA it means we are half way there or getting there.

The media is controlled by two factions now: Government through access (you don't get to come to white house if you piss us off or you wont get the interview)

Large corporations and the major characters behind them. (i.e. Fox news, Viacom, etc.

This is not the path to maintain an open society. We don't need thugs like less sophisticated media controlled countries , we control media in a much more elegant way. But the results are the same!

As the blog post announcing this points out (http://m.newyorker.com/online/blogs/closeread/2013/05/introd...) in a lot of ways this is an extension of the mailing address or phone number that the New Yorker has advertised (and informants have been using) since the 1920s.

I disagree. The tools that journalists have been using to protect their sources are woefully inadequate in the digital age. The government has moved forward with surveillance techniques and is always advancing its information-gathering methods. When I ask friends who are journalists how they stay anonymous and protect their sources, the best they can do is "meet on a park bench and don't use the phone."

It's high time for journalism to upgrade their toolbox for gathering information and protecting their sources in the 21st century. However technically sound this effort by the New Yorker is, it is a step in the right direction.

I disagree. Sometimes maintaining that type of freedom of the press requires strong vigilance and defense on the side of the press, rather than taking it as a given.

The government has really showed us how little we can trust them in the last couple weeks. Go Tor!

ToR is funded by the US government.

and, according to about TOR [0], it is still used by the US Navy for intelligence gathering. Which is probably the best protection for the project, since those guys really care about anonymity.

[0]: https://www.torproject.org/about/overview.html.en

What does that have to do with his claim that the USG is not trustworthy? Are you implying that it isn't the solution that it claims to be, due to the funding source?

I'm not claiming anything - I'm simply pointing out that the answer to the question "will tor protect me" has a little bit more nuance than it is usually answered with...

That's why I said "implying" - can you state directly what you mean? Your reply wasn't directly relevant and you're intentionally being vague and ominous, which isn't useful.

The most logical conclusion, given the information that you're providing, is that "Tor might not protect me because the authors accept US Government funding".

If so, it's important to call that out as the BS that it is. Either you are highly ignorant as to how Tor works, or you are being malicious for some other reason.

If I've missed something, please clarify.

GlobaLeaks enables news organizations to offer a similar functionality: github.com/GlobaLeaks Includes some Tor developers on the dev team.

They have been working on this for 2-3 years in the open and would appreciate bug reports & people to run the code. They also currently maintain Tor2Web, the first version of which was written by aaronsw

Nice to see a strong endorsement of Tor. I imagine it will help The New Yorker attract new sources for their stories.

I'm pretty much ignorant about Tor, but I'm curious why the .onion strongbox address they give is a string of random characters, instead of something recognizable/memorable?

The address is also a public key. No one else can pretend to be the New Yorker unless they have the corresponding private key.

If the address was just "newyorker.onion", you'd still need to find some way of safely verifying the public key to make sure you're really talking to the New Yorker.

This could be a naive question, but would it be possible to allow the site to choose their public key text? That way they could choose 'newyorkerstrongbox' or similar.

Somewhat - you can keep generating keys until the characters look like something. SR's address starts with "silkroad" followed by a few more random characters.

No, that would pretty much break the whole public-key cryptography if it were possible.

Agreed, my wording was poor - see reply below by aceberry for what I was trying to get at.

If they wanted to make a memorable address, they would have to run something like Shallot [1]. This is essentially brute forcing private keys until you find the public key you want. Depending on the name, that could take a very long time.

[1] https://github.com/katmagic/Shallot

I don't really understand how they can claim that shallot-generated keys are as secure as normal keys. If you are able to essentially brute force your key (to create the customized address), wouldn't the adversarial (with presumably much greater computing power) be able to do the same?

Thanks, that's what I was thinking of.

If you combine Namecoin with Tor you could get close. Have a Namecoin .bit address point to a Tor .onion address.

As long as you don't let the .bit address expire, you'll have a secure, easy to remember address people can use to access your hidden server.

I don't know the specifics, but my understanding is that the seemingly random string of characters is a crypto signature.

If I'm not mistaken, it makes the site safe from Man In The Middle attacks.

From the Tor design paper[1] section 5.2:

> Location-hidden services use a virtual top level domain called .onion: thus hostnames take the form x.y.onion where x is the authorization cookie and y encodes the hash of the public key.

[1] https://svn.torproject.org/svn/projects/design-paper/tor-des...

I don't get the point. If you trust them, isn't it okay to reveal your identity to The New Yorker anyway since they're legally protected from being compelled to reveal your identity? And if you don't trust them, why should you trust that they're not logging your identity even on Strongbox?


If you read the first paragraph of the wikipedia article you link you'll see this in the last line:

"In the United States, the federal government legally contends that no such protection exists for journalists."

There are well documented cases (and even a movie based on true events) of journalists having to go to prison because they wouldn't reveal sources.

e.g. Found this on Google searching "reporter source prison": http://www.theblaze.com/stories/2013/04/08/as-fox-news-repor...

You raise a good point. However, in light of the Justice Department secretly obtaining AP phone records [1], this provides an alternative option for secure information.

For information that is best delivered anonymously, this sounds like one of many tools to get your message out there.

[1] http://www.npr.org/2013/05/14/183810320/justice-department-s...

No he does not have a point. Even if he does trust them, that's irrelevant. The point of anonymity is so others (especially governments) don't find out your identity. That can be done regardless of how much you trust the publisher.

Why do you think Wikileaks was invented?

American journalists aren't legally protected from revealing their sources at all and there's journalists in jail right now for just this reason.

Have you some how avoided the news from the last couple days?

Actually I have, what are you referring to?

U.S. Secretly Obtains Two Months of A.P. Phone Records


WIth Tor your identity can't be logged. Even if they are forced to reveal their logs, they'd be completely worthless.

Because if you are going to break the law by leaking information, no matter how noble your cause, I would imagine that every additional person who is aware of your identity would give you tremendous pause.

You'll probably have to reveal your identify in many cases, unless your evidence alone is convincing beyond a doubt, but your correspondence should still be performed and stored as securely as possible.

"If you trust them"?

What does that even mean in a time when the US government can pressure reporters into giving them the information anyway, or simply spy on them (see AP spying case).

The deaddrop installation documents (https://github.com/deaddrop/deaddropdocs/) refer to a repo at https://github.com/deaddrop/deaddrop_puppet which doesn't seem to have been made public yet. Would be interesting to see the rest of the installation procedure.

I hope this becomes a standard, every news organization needs one of these.

VERY wise move! Contrary to tormail.org - you know who owns the TOR-based messaging system and this will surely increase an inflow of "hot" [albeit unverifiable] stories! Great way to stay ahead of less techy competition.

Good for the New Yorker; I hope this catches on. Unfortunately, if the encryption is not end-to-end, the data is not secure. In fact, the NSA may choose to hang out and watch the unsecured traffic flow.

The New Yorker should make the traffic a little more secure by encrypting traffic (using https).

There have been past instances where similar weaknesses were exploited by sniffers: http://www.wired.com/politics/security/news/2007/09/embassy_...

That vulnerability applies when accessing normal web pages via Tor.

But that's now what the New Yorker has set up. They're hosting a Tor hidden service, and in that case Tor is necessarily encrypting the traffic end-to-end.

The problem is that you got the .onion address from an unsecured web page.

Someone between you and that unsecured web page could've changed the .onion address and when you went there you would be visiting a Strongbox hosted by the NSA rather than one for The New Yorker.

This is why you typically want to publish things like this as far and wide as possible - if any single source is compromised, it can be detected by noticing a discrepancy between two publicly available addresses. I'd wager they'll put it in their print edition (same as their physical address and phone number) from now on, because the NSA probably isn't going to everyone's house swapping out their magazines for altered ones, so anyone who gets the magazine will have a hard copy of the address.

Do CAs actually sign .onion certs? Of course they could go self-signed with fingerprint on the public-web site, but that would make it more difficult to use for fairly minor gain.

Trying to do something similar here: http://valleyanon.com/ - Let me know if you're interested in helping out with the project.

Soooo can .onion addresses be spoofed for MIM attacks?

Man in the middle attacks on Tor are possible. Check out Moxie Marlinspike's 2009 BlackHat DC Presentation on SSL Stripping:



Attacks such as those referenced are are not relevant in this case.

As this website is being served as a hidden service, the traffic never exits the Tor network. There's no SSL in use for a MITM attack to remove, nor does there need to be.

Moxie demonstrated sslstrip on Tor exit nodes. It will not work on hidden services as the address contains a hash of the server's public key.

What an awesome idea, this needs to become a standard. This will lead to lots of interesting and previously impossible stories in the future!

What is the purpose of the people on the New Yorker end having to switch machines? How can the submitter trust that they've done that?

Because the internet facing machine could have been infected with malware that allows someone to read the decrypted message, and send it back over the internet. First, being compromised in the first place is less likely for the machine not connected to the internet, because it is booted fresh from a CD-ROM every time, and the CD is read only, so in order to install something unwanted on the computer the attacker would have to physically replace the CD. Second, even if it were compromised, it is not connected to the internet, so there should not be any way for it to transmit the information, again unless someone has physically bugged the machine.

How do we know that Tor is reliable?

It's the de facto standard, but, barring bugs, is it provably NSA-resistant?

Pedantic response: There's surprisingly little provable (in the mathematical sense) security in the crypto world. It's possible, though rather unlikely, that the NSA has a cheap way to factor large numbers and has been laughing at us all for decades.

Less pedantic response: Tor does use good strong crypto and has been examined by many experts, both practical and theoretical; I'd be surprised if the crypto, protocol design, or even the implementation is the weakest spot.

One weak spot it does have is traffic analysis. Any low-latency anonymity network has this problem: if someone can observe the traffic in and out of enough nodes on the network (even if they can't decrypt any of it) they can statistically correlate arrival times and figure out who is talking to whom pretty reliably. Even if you can't read the data, reading the envelopes is enough to plug leaks, find dissidents, etc.. (Consider the Associated Press phone records affair.) If the attacker can experiment by causing brief interruptions or delays on the circuits between nodes they can extract even more information. Google will find you many cites on this subject.

The Tor project tries to mitigate this but considers a full solution out-of-scope (for fairly good reasons, I think). There aren't many projects that really do try to address it --- the old cypherpunk Mixmaster network is the only one I know of offhand. And even there, the best you can do really is up the constant factors of the attack, or push the attack one level up into the greater network of human communication ("who knew X, at a time they could have communicated it to Y? Who knew Z, at such a time?").

Even if it is already entirely broken by them, there's the question of whether they'll risk revealing that fact by going after you (publicly) c.f. Ultra[1] level intelligence from breaking Enigma.

[1] https://en.wikipedia.org/wiki/Ultra_%28cryptography%29#Safeg...

Yes, we all read Cryptonomicon too.


I'm less concerned for the encryption. In principle, Tor guarantees anonymity - my question is really, "How guaranteed is that anonymity, assuming Tor's implementation is correct?"

I concur that, if anyone has been able to break Tor, they haven't made use of it in any public way. You can only really do that once.

Put another way: Suppose I want to know who is sending messages to the New Yorker's strongbox, but I don't have physical access to their isolated system. Can I figure it out? How many Tor nodes would I need to compromise to have a ~5% shot at discovering interesting information about the sender?

I am not sure you can put down a real number, but the developers are in concert with power users, and they are well aware of when something is fishy and they patch quickly, specifically for the very well-known state actors that Tor irks (e.g., China and Iran). See one such recent example:


And yes, I know this supposes it is an obvious attack vector, and this is not really disastrous; they got blocked. I encourage you to read the Tor Project blog. They did, for example, an excellent writeup of how BEAST was not impacting them, and did a very detailed layman's article on how, even if their implementation did not pad TLS the way it did, would still not be exploitable with the BEAST exploit.


There are a lot of eyeballs, and all the usual cathedral and bazaar quotes will tell you I trust their implementations, despite its dubious origin with a Naval Postgraduate School thesis, than other systems that are not open source.

Out of interest, what are other potential applications for Dead Drop, beyond journalism?

What's a good guess here as to the signal to noise ratio?

I'm really searching for an Al Gore joke here, someone help me out.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact