New Yorker launches new leak submission system, written by Aaron Swartz


15 Responses to “New Yorker launches new leak submission system, written by Aaron Swartz”

  1. Nicholas Weaver says:

    I have no doubt that Strongbox is very secure.  The problem is usability.  I suspect that, for most sources, Julia Angwin’s suggestion that the source should just mail a burner phone to the reporter, programmed with the number of the source’s own burner, would probably be a better secure solution.

    Overall, I believe the problem is operational security (e.g. see my Wired opinion piece) not technology tools.

    • Gulliver says:

      And then there’s the security of the source. Bob can only secure Bob’s computer, not Alice’s.

      They’ve clearly thought it through, but I hope that by erase they mean a method effective against remanence, such as Gutmann and Plumb’s algorithm for simulating degaussing.

      • extra88 says:

        Bah, on contemporary magnetic media, a single pass of zeros is sufficient; no one can recover the overwritten data. I don’t know where things stand with solid state media but if there’s a solution at all I doubt it requires such algorithms.

        • kmoser says:

          A single pass of zeros? How confident are you in that assertion?

          • extra88 says:

            Very, but a better question would be “what is the basis for your claim?” I’ve read discussions of secure erasure for many years and it comes down to 1) there being no evidence of overwritten data ever being recovered and 2) as magnetic storage density has increased, the recovery techniques Gutmann hypothesized have become even more implausible.

            Because I’m not an engineer in that field, if I had the U.S. government as an adversary, I *might* use a a single pass of pseudorandom data.

            Here’s one reference:

    • kmoser says:

      For that matter the source could just mail an encrypted thumb drive to the reporter, thereby bypassing any known weaknesses in Tor and any unknown weaknesses in Strongbox.

      The hard part (for the source) is making sure the data contains nothing that could be traced back to the source; this applies whether the source uses a thumb drive or Strongbox.

  2. oasisob1 says:

    I suspect using the tor network is actually a major weakness.

    • scolbath says:

       What is your basis for that suspicion?

      • oasisob1 says:

        “While Tor does provide protection against traffic analysis, it cannot prevent traffic confirmation (also called end-to-end correlation)”

        I think it’s possible is that a well-resourced actor could insert a large enough number of nodes into the network to enable sufficient end-to-end monitoring. Alternatively, such an organization could search for all active nodes and either compromise or set up monitoring at the nodes. If they control or watch your entry and exit nodes, well, who cares what happens in the middle? If I were in charge of such an operation, I’d most certainly make it a priority to compromise the new yorker strongbox. Now that I think about it, even a poorly-resourced actor with a strong brain could get the job done. Write a virus to zombify tor nodes, send it out and own as many boxes as you want for free.

        Using tor wrong can lead to problems. I think the smart thing to do would be to use it once in a public location and never go back – library, best buy, apple store… and while using it for your drop, don’t check your email, facebook or post on your blog, etc. — I think those are the kinds of activities that break the effectiveness of the system.

        Maybe I’m wrong.

        • scolbath says:

          I certainly that the approach you outline in your final paragraph will help – but what the New Yorker has built is a *distributed* drop box.  And Tor, to date, has withstood attacks from such well-resourced adversaries as China, Iran, and Syria.  Undoubtedly, the US could attack it as you describe:  but you will have to think – would you rather put your trust in Tor, trusted by people whose lives depend on it all over the world, or some “other” mechanism?

  3. Finnagain says:

    “Tragically died”? 

  4. SamSam says:

    Why are the contents of the laptop erased after every use?

    If it’s already gone through the TOR network and encrypted, the source is already hidden. At that point, no one other than the New Yorker can read the files, and no one at all can figure out the source (presumably, but if these two assumptions are false then the whole thing fails).

    So now the New Yorker editor has the files on this secure laptop. If the files are important, he’s going to want to write a story about them. And if he writes a story about them, he’s going to need to back it up with the files.

    So the erasure deletes any unimportant files, which I guess is good, but it’s not clear what happens to files that are important. Clearly they’re not just going to get erased when the laptop is closed for the day. Are they archived somewhere and are accessible by subpoena?  Are they accessible to anyone who asks once the story is written, the way WikiLeaks files are?

    This looks good, but they need to be clearer about what happens to the files at the end.

  5. mkanoap says:

    The second laptop is probably erased to prevent a scenario like this:
    1) interested agency drops some sort of malware in the drop box
    2) malware infects laptop that will be used for decryption
    3) malware mails decryption keys to interested agency
    4) interested agency can now decrypt future messages intercepted by various means.

    A freshly wiped laptop would be an attempt to insure that the keys are never exposed to a compromised machine.   It’s not to keep anyone else from reading the decrypted files, it’s to keep new files intercepted before they get to decryption phase encrypted.

    Still, I agree that the last step should be fleshed out more.

Leave a Reply