The New Yorker Launches 'Strongbox' For Secure Anonymous Leaks

← Back to Stories (view on slashdot.org)

The New Yorker Launches 'Strongbox' For Secure Anonymous Leaks

Posted by Soulskill on Wednesday May 15, 2013 @06:47AM from the sing-like-a-really-safe-canary dept.

Today The New Yorker unveiled a project called Strongbox, which aims to let sources share tips and leaks with the news organization in a secure manner. It makes use of the TOR network and encrypts file uploads with PGP. Once the files are uploaded, they're transferred via thumb-drive to a laptop that isn't connected to the internet, which is erased every time it is powered on and booted with a live CD. The publication won't record any details about your visit, so even a government request to look at their records will fail to find any useful information. "There’s a growing technology gap: phone records, e-mail, computer forensics, and outright hacking are valuable weapons for anyone looking to identify a journalist’s source. With some exceptions, the press has done little to keep pace: our information-security efforts tend to gravitate toward the parts of our infrastructure that accept credit cards." Strongbox is actually just The New Yorker's version of a secure information-sharing platform called DeadDrop, built by Aaron Swartz shortly before his death. DeadDrop is free software.

24 of 94 comments (clear)

Min score:

Reason:

Sort:

Is it in a bunker ? by Anonymous Coward · 2013-05-15 06:50 · Score: 2, Funny

Because things are always more secure inside of a bunker.
1. Re:Is it in a bunker ? by durrr · 2013-05-15 07:10 · Score: 2
  
  "a secure information-sharing platform called DeadDrop, built by Aaron Swartz shortly before he DroppedDead."
  I'm not sure I want to use that, it sounds cursed.
2. Re:Is it in a bunker ? by K.+S.+Kyosuke · 2013-05-15 07:20 · Score: 4, Funny
  
  I'm not sure I want to use that, it sounds cursed.
  Why, yes, it's black magic; he killed himself so that his fresh code would be imbued with his life force, giving a spirit guardian to the software and thereby making any hacking attempt instantly fatal to government cloak-and-port-mapper types. Fork it on Github right now!
  
  --
  Ezekiel 23:20
3. Re:Is it in a bunker ? by K.+S.+Kyosuke · 2013-05-15 08:09 · Score: 2, Funny
  
  Who are "dilitants"? Dilettante militants?
  
  --
  Ezekiel 23:20
Hope the editors like Ecuador by Filter · 2013-05-15 06:52 · Score: 2

Wasn't there a guy who tried this once before?

--
"better ways of doing things eventually just replace the inferior things" - Linus Torvalds 09-08-07
1. Re:Hope the editors like Ecuador by Fjandr · 2013-05-16 09:56 · Score: 2
  
  Given the Justice Department's latest actions, subpoenas aren't necessary anymore to troll for information that's not even connected to an active investigation.
  They just wiretap and obtain phone records whenever the hell they feel like it now.
But does it work well in practice? by nweaver · 2013-05-15 06:53 · Score: 5, Interesting

Strongbox technically is very strong, without a doubt. But, being TOR based, it will be hard to use. Worse, a potential leaker not only must use their own computer (ideally a throwaway computer), but they can never have VISITED the Strongbox information page from work, because otherwise any leak to the New Yorker will be suspicious.
And Strongbox's information page drives Ghostery crazy! Not a good sign for a privacy tool.
Probably more important is general Operational Security, including burner phones and/or burner computers.
Julia Angwin has an excellent additional point: Physical mail (dropped in a random post-box with a bogus return address) is perhaps the best way for anonymous one-way communication. The USPS will record address information when asked by law enforcement, but (currently) doesn't record this on all mail. Thus there is no history and, even if there was, this can only be traced to the processing post office. Perhaps the best use of the mail is simply to send the reporter a burner phone preprogrammed so that the reporter can call your burner.

--
Test your net with Netalyzr
1. Re:But does it work well in practice? by EmagGeek · 2013-05-15 07:02 · Score: 2
  
  Really? I only got six bugs with Ghostery.
  In contrast, I routinely get more than 20 at money.cnn.com.
  But you're right. For any "privacy" company to be tracking you with six bugs says a lot about their real concern for privacy.
2. Re:But does it work well in practice? by Anonymous Coward · 2013-05-15 07:10 · Score: 4, Interesting
  
  Julia Angwin has an excellent additional point: Physical mail (dropped in a random post-box with a bogus return address) is perhaps the best way for anonymous one-way communication. The USPS will record address information when asked by law enforcement, but (currently) doesn't record this on all mail. Thus there is no history and, even if there was, this can only be traced to the processing post office. Perhaps the best use of the mail is simply to send the reporter a burner phone preprogrammed so that the reporter can call your burner.
  All the time making sure not to get seen on CCTV and wearing throw-away gloves and clothes. Also ensure not to leave any DNA on or in the package. Compare that to using a LiveCD with TOR.
  These days the risks of doing something private in the real world are just as hard as on the internet.
3. Re:But does it work well in practice? by bussdriver · 2013-05-15 07:32 · Score: 4, Insightful
  
  Depends on the COST to figure out the identity. DNA isn't cheap or quickly checked, you have to be worth it.
  Scanning a DVD for the burner's serial number probably takes little effort depending on how widespread the tools are. I wasn't aware they burned that info--- they do? I know even CDs have manufacturer info on them but that didn't seem that useful. Then looking that up against a db containing them might also be easy but somehow I doubt the db contains that much info... probably more labor than a DNA check; blueray... that probably has your name burned into it. (sony made them)
  Printing on paper? your inkjet is printing the printer's serial number onto the paper- I would think the feds would have that software and anybody with access probably can use it. tracking that down to you is probably much easier than DVDs but still involved.
  Flash? well, buy a new one in cash and use it only once. make sure your OS isn't putting hidden files onto it... mount it in a virtual machine just to be safe. you could also find your OS's cache of UUIDs and delete it... but if they are accessing your computer to find if you ever mounted the drive you are in a bad situation already.
  TOR might be great but one has to wonder -- the feds could be half the nodes and with enough of them they could detect you. they can use it themselves without concern about this but you on the other hand... could be unlucky. plus as some records have shown, they've found people by tracking when they show up in chat rooms and when they went on TOR matching... then you have all these horrible "cloud" apps today-- even your simple calculator app is connecting to the "cloud" today! all these apps doing "harmless" things in the background online is providing a signature of their own, if not giving out identifiers.
  
  --
  Democracy Now! - uncensored, anti-establishment news
4. Re:But does it work well in practice? by chihowa · 2013-05-15 13:37 · Score: 2
  
  1. Fuck ghostery, its closed source nonsense.
  Well, that's a weird response. Ghostery may be closed source, but what it's doing isn't exactly magic. Read the page source and linked javascript yourself. You can find the trackers by hand.
  Dismissing the claim of multiple tracking scripts on a privacy-required site because you don't like the tool someone used is a bizarre way to operate.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
5. Re:But does it work well in practice? by serialband · 2013-05-15 15:48 · Score: 2
  
  There's an EFF project on identifying the tracking codes. It's mainly done with color laser printouts using yellow dots. If you know what your printer is printing, you could theoretically introduce yellow dot patterns to randomize your serial number and mess up the identification.
  http://w2.eff.org/Privacy/printers/docucolor/
6. Re:But does it work well in practice? by cheekyjohnson · 2013-05-15 21:42 · Score: 3, Interesting
  
  But no doubt you think we should not only go back to the Gold Standard, but only use actual gold pieces as currency too.
  What? I said nothing of the sort.
  The problem with this is that it people are assumed to be criminals by default and privacy is sacrificed so we can thwart the evil bogeymen who threaten us so. That's exactly the mindset that allows for people to be molested when they want to get on a plane in the US.
  
  --
  Filthy, filthy copyrapists!
Based on TOR by Anonymous Coward · 2013-05-15 06:57 · Score: 2, Interesting

I have the impression that TOR is probably compromised by an assortment of constitution trampling three letter agencies, I just don't get why it keeps getting pushed as some shining beacon of privacy. I have to assume that 1/3 of the exit nodes are the feds fishing, 1/3 are criminals fishing and 1/3 are privacy advocates who somehow don't seem to know about the other 2/3.
Please educate me if I am wrong.
Oh great ... by gstoddart · 2013-05-15 07:05 · Score: 4, Insightful

Now they'll decree the press are terrorists and say it's illegal to do this since it prevents 'awful' monitoring.
I think this whole snooping on the reporters thing has them deciding to fight back and send a big "F you".

--
Lost at C:>. Found at C.
1. Re:Oh great ... by Fnord666 · 2013-05-15 13:20 · Score: 3, Informative
  
  I think this whole snooping on the reporters thing has them deciding to fight back and send a big "F you".
  Double plus good on this then. The media has been too damn cozy with both corporations and governments for a while now. Their relationship should be adversarial rather than cooperative.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
2. Re:Oh great ... by Karl+Cocknozzle · 2013-05-15 13:53 · Score: 4, Insightful
  
  Now they'll decree the press are terrorists and say it's illegal to do this since it prevents 'awful' monitoring.
  I think this whole snooping on the reporters thing has them deciding to fight back and send a big "F you".
  I find it offensive that they needed it to happen to them personally before they did anything about it. This has been a "fact of life" of "Post-9/11" America for over a decade now, and the first the AP reports significantly on snooping is because it happened to them. ...And before that?
  
  --
  Who did what now?
Can you promise no government hacking? by stanlyb · 2013-05-15 07:08 · Score: 2, Insightful

After the recent news of AP's guys being hacked, eavesdropped, etc, and which is more important, NO REACTION from all of the other news groups (really, i thought this would be the number ONE news!!!), could you be sooo naive to believe that NewYorker would be a safe harbor for your little pretty leak?
I am not idiot, what about you?
Obligatory Al Gore "Lock Box" Reference by xxxJonBoyxxx · 2013-05-15 07:10 · Score: 3, Funny

Obligatory Al Gore "Lock Box" Reference:
http://www.youtube.com/watch?v=F9pqmW-D14I&t=1m39s
Re:Missing a link? by Cenan · 2013-05-15 07:29 · Score: 3, Funny

Read TFA, the answer is inthere waiting for you. I won't spoil the ending for you.

--
... whatever ...
No record of any visit? by houghi · 2013-05-15 07:45 · Score: 2

I rather go with the idea that I WILL be followed and things WILL be recorded then to trust that nobody does. If being traced is a problem for you, then assume that you ARE being traced and people who say they won't are lying.
If I had anything to share and it should be anonymous, sending a thumb-drive should be a lot easier. Darn, just send all sources an SD card via snail-mail. With the prices of what they are, the most expensive part will be posting. And it can be done from almost anywhere in the world as well. (Note: Just don't fill out the return address)

--
Don't fight for your country, if your country does not fight for you.
Am I the only one... by The+Grim+Reefer · 2013-05-15 07:48 · Score: 5, Insightful

Who finds it frightening as hell that the press now has to do this? It's a dark day when the press has to take measures like this because the government is ignoring the first amendment.
They Screwed It Up by Anonymous Coward · 2013-05-15 08:36 · Score: 5, Informative

Good intentions, but it appears that they have no idea what they're doing.
The New Yorker's Strongbox page says it won't record IP addresses or track you or set cookies - while it's setting cookies for newyorker.com, crwdcntrl.net, demdex.net, and omtrdc.net. If they want people who care about this stuff to take their commitment to anonymity seriously, they can't embed tags in their Strongbox main page that causes browsers to go do GETs on other domains' URLs because that reveals the visit to Strongbox to those third parties.
Now all the FBI has to do is subpeona Adobe's AudienceManager's web logs. Advice to journalists with good intentions: Do this right or don't do it at all.
Now, even if I knew anything, I could never submit it to Strongbox because the New Yorker has already compromised my anonymity to those third parties.
it's a phish net by Mister+Liberty · 2013-05-15 12:34 · Score: 2

care of the PhBI.