The New Yorker Launches 'Strongbox' For Secure Anonymous Leaks

← Back to Stories (view on slashdot.org)

The New Yorker Launches 'Strongbox' For Secure Anonymous Leaks

Posted by Soulskill on Wednesday May 15, 2013 @06:47AM from the sing-like-a-really-safe-canary dept.

Today The New Yorker unveiled a project called Strongbox, which aims to let sources share tips and leaks with the news organization in a secure manner. It makes use of the TOR network and encrypts file uploads with PGP. Once the files are uploaded, they're transferred via thumb-drive to a laptop that isn't connected to the internet, which is erased every time it is powered on and booted with a live CD. The publication won't record any details about your visit, so even a government request to look at their records will fail to find any useful information. "There’s a growing technology gap: phone records, e-mail, computer forensics, and outright hacking are valuable weapons for anyone looking to identify a journalist’s source. With some exceptions, the press has done little to keep pace: our information-security efforts tend to gravitate toward the parts of our infrastructure that accept credit cards." Strongbox is actually just The New Yorker's version of a secure information-sharing platform called DeadDrop, built by Aaron Swartz shortly before his death. DeadDrop is free software.

8 of 94 comments (clear)

Min score:

Reason:

Sort:

But does it work well in practice? by nweaver · 2013-05-15 06:53 · Score: 5, Interesting

Strongbox technically is very strong, without a doubt. But, being TOR based, it will be hard to use. Worse, a potential leaker not only must use their own computer (ideally a throwaway computer), but they can never have VISITED the Strongbox information page from work, because otherwise any leak to the New Yorker will be suspicious.
And Strongbox's information page drives Ghostery crazy! Not a good sign for a privacy tool.
Probably more important is general Operational Security, including burner phones and/or burner computers.
Julia Angwin has an excellent additional point: Physical mail (dropped in a random post-box with a bogus return address) is perhaps the best way for anonymous one-way communication. The USPS will record address information when asked by law enforcement, but (currently) doesn't record this on all mail. Thus there is no history and, even if there was, this can only be traced to the processing post office. Perhaps the best use of the mail is simply to send the reporter a burner phone preprogrammed so that the reporter can call your burner.

--
Test your net with Netalyzr
1. Re:But does it work well in practice? by Anonymous Coward · 2013-05-15 07:10 · Score: 4, Interesting
  
  Julia Angwin has an excellent additional point: Physical mail (dropped in a random post-box with a bogus return address) is perhaps the best way for anonymous one-way communication. The USPS will record address information when asked by law enforcement, but (currently) doesn't record this on all mail. Thus there is no history and, even if there was, this can only be traced to the processing post office. Perhaps the best use of the mail is simply to send the reporter a burner phone preprogrammed so that the reporter can call your burner.
  All the time making sure not to get seen on CCTV and wearing throw-away gloves and clothes. Also ensure not to leave any DNA on or in the package. Compare that to using a LiveCD with TOR.
  These days the risks of doing something private in the real world are just as hard as on the internet.
2. Re:But does it work well in practice? by bussdriver · 2013-05-15 07:32 · Score: 4, Insightful
  
  Depends on the COST to figure out the identity. DNA isn't cheap or quickly checked, you have to be worth it.
  Scanning a DVD for the burner's serial number probably takes little effort depending on how widespread the tools are. I wasn't aware they burned that info--- they do? I know even CDs have manufacturer info on them but that didn't seem that useful. Then looking that up against a db containing them might also be easy but somehow I doubt the db contains that much info... probably more labor than a DNA check; blueray... that probably has your name burned into it. (sony made them)
  Printing on paper? your inkjet is printing the printer's serial number onto the paper- I would think the feds would have that software and anybody with access probably can use it. tracking that down to you is probably much easier than DVDs but still involved.
  Flash? well, buy a new one in cash and use it only once. make sure your OS isn't putting hidden files onto it... mount it in a virtual machine just to be safe. you could also find your OS's cache of UUIDs and delete it... but if they are accessing your computer to find if you ever mounted the drive you are in a bad situation already.
  TOR might be great but one has to wonder -- the feds could be half the nodes and with enough of them they could detect you. they can use it themselves without concern about this but you on the other hand... could be unlucky. plus as some records have shown, they've found people by tracking when they show up in chat rooms and when they went on TOR matching... then you have all these horrible "cloud" apps today-- even your simple calculator app is connecting to the "cloud" today! all these apps doing "harmless" things in the background online is providing a signature of their own, if not giving out identifiers.
  
  --
  Democracy Now! - uncensored, anti-establishment news
Oh great ... by gstoddart · 2013-05-15 07:05 · Score: 4, Insightful

Now they'll decree the press are terrorists and say it's illegal to do this since it prevents 'awful' monitoring.
I think this whole snooping on the reporters thing has them deciding to fight back and send a big "F you".

--
Lost at C:>. Found at C.
1. Re:Oh great ... by Karl+Cocknozzle · 2013-05-15 13:53 · Score: 4, Insightful
  
  Now they'll decree the press are terrorists and say it's illegal to do this since it prevents 'awful' monitoring.
  I think this whole snooping on the reporters thing has them deciding to fight back and send a big "F you".
  I find it offensive that they needed it to happen to them personally before they did anything about it. This has been a "fact of life" of "Post-9/11" America for over a decade now, and the first the AP reports significantly on snooping is because it happened to them. ...And before that?
  
  --
  Who did what now?
Re:Is it in a bunker ? by K.+S.+Kyosuke · 2013-05-15 07:20 · Score: 4, Funny

I'm not sure I want to use that, it sounds cursed.
Why, yes, it's black magic; he killed himself so that his fresh code would be imbued with his life force, giving a spirit guardian to the software and thereby making any hacking attempt instantly fatal to government cloak-and-port-mapper types. Fork it on Github right now!

--
Ezekiel 23:20
Am I the only one... by The+Grim+Reefer · 2013-05-15 07:48 · Score: 5, Insightful

Who finds it frightening as hell that the press now has to do this? It's a dark day when the press has to take measures like this because the government is ignoring the first amendment.
They Screwed It Up by Anonymous Coward · 2013-05-15 08:36 · Score: 5, Informative

Good intentions, but it appears that they have no idea what they're doing.
The New Yorker's Strongbox page says it won't record IP addresses or track you or set cookies - while it's setting cookies for newyorker.com, crwdcntrl.net, demdex.net, and omtrdc.net. If they want people who care about this stuff to take their commitment to anonymity seriously, they can't embed tags in their Strongbox main page that causes browsers to go do GETs on other domains' URLs because that reveals the visit to Strongbox to those third parties.
Now all the FBI has to do is subpeona Adobe's AudienceManager's web logs. Advice to journalists with good intentions: Do this right or don't do it at all.
Now, even if I knew anything, I could never submit it to Strongbox because the New Yorker has already compromised my anonymity to those third parties.