Slashdot Mirror

← Back to Stories (view on slashdot.org)

The New Yorker Launches 'Strongbox' For Secure Anonymous Leaks

Posted by Soulskill on from the sing-like-a-really-safe-canary dept.

Today The New Yorker unveiled a project called Strongbox, which aims to let sources share tips and leaks with the news organization in a secure manner. It makes use of the TOR network and encrypts file uploads with PGP. Once the files are uploaded, they're transferred via thumb-drive to a laptop that isn't connected to the internet, which is erased every time it is powered on and booted with a live CD. The publication won't record any details about your visit, so even a government request to look at their records will fail to find any useful information. "There’s a growing technology gap: phone records, e-mail, computer forensics, and outright hacking are valuable weapons for anyone looking to identify a journalist’s source. With some exceptions, the press has done little to keep pace: our information-security efforts tend to gravitate toward the parts of our infrastructure that accept credit cards." Strongbox is actually just The New Yorker's version of a secure information-sharing platform called DeadDrop, built by Aaron Swartz shortly before his death. DeadDrop is free software.

3 of 94 comments (clear)

  1. But does it work well in practice? by nweaver · · Score: 5, Interesting

    Strongbox technically is very strong, without a doubt. But, being TOR based, it will be hard to use. Worse, a potential leaker not only must use their own computer (ideally a throwaway computer), but they can never have VISITED the Strongbox information page from work, because otherwise any leak to the New Yorker will be suspicious.

    And Strongbox's information page drives Ghostery crazy! Not a good sign for a privacy tool.

    Probably more important is general Operational Security, including burner phones and/or burner computers.

    Julia Angwin has an excellent additional point: Physical mail (dropped in a random post-box with a bogus return address) is perhaps the best way for anonymous one-way communication. The USPS will record address information when asked by law enforcement, but (currently) doesn't record this on all mail. Thus there is no history and, even if there was, this can only be traced to the processing post office. Perhaps the best use of the mail is simply to send the reporter a burner phone preprogrammed so that the reporter can call your burner.

    --
    Test your net with Netalyzr
  2. Am I the only one... by The+Grim+Reefer · · Score: 5, Insightful

    Who finds it frightening as hell that the press now has to do this? It's a dark day when the press has to take measures like this because the government is ignoring the first amendment.

  3. They Screwed It Up by Anonymous Coward · · Score: 5, Informative

    Good intentions, but it appears that they have no idea what they're doing.

    The New Yorker's Strongbox page says it won't record IP addresses or track you or set cookies - while it's setting cookies for newyorker.com, crwdcntrl.net, demdex.net, and omtrdc.net. If they want people who care about this stuff to take their commitment to anonymity seriously, they can't embed tags in their Strongbox main page that causes browsers to go do GETs on other domains' URLs because that reveals the visit to Strongbox to those third parties.

    Now all the FBI has to do is subpeona Adobe's AudienceManager's web logs. Advice to journalists with good intentions: Do this right or don't do it at all.

    Now, even if I knew anything, I could never submit it to Strongbox because the New Yorker has already compromised my anonymity to those third parties.