EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

10.25.15

How to Securely Provide Techrights With Information, Documents

Posted in Site News at 6:35 am by Dr. Roy Schestowitz

The key is anonymity

A lock

Summary: Advice for potential whistleblowers, or sources with evidence of abuse that they wish to anonymously share with the world (via Techrights)

OVER the years Techrights has received critical information from dozens of sources, all of which remained safe (unexposed). But this does not mean that all of them did this safely. This article provides advice for those who wish to pass to us information in the safest of ways, without having to do a lot of complicated things.

Why Not Off-the-shelf, Self-contained Secure Software?

Over the past 6 months or so we have looked into various bits of Free/libre software, e.g. Briefkasten (no longer actively maintained, as of 2013) and SecureDrop, which is too big a project (massive also in the source code sense compared to Briefkasten, not to mention difficult to set up). After much effort we decided to settle for something which is simpler to use and is much faster to use. To facilitate leaking of sensitive documents (e.g. evidence of misconduct) we mostly require anonymity, as the content of the material does not — in its own right — do much (if anything) to expose the source.

Typically, whole frameworks are built for distributed and de-centralised leaking. This requires quite a bit of hardware, which in turn needs to be set up and properly configured. It’s complicated for both sides (source and receiver) and it’s usually developed for large teams of journalists, for constant interaction with sources, or a regular flow of material. We do not require something this advanced. In practice, a one-time document drop is usually enough.

Our Proposed Solution

We have decided that the following method would be good enough given the nature of leaks we normally receive. They are typically about technology, rather than some military or surveillance apparatus such as the CIA’s assassination (by drones) programme or the NSA’s mass surveillance programme.

For extra security, we kindly ask people to ensure anonymity/privacy tools are used, notably Tor. Without it, privacy/anonymity cannot be assured to a high degree. It’s possible, but it would not be unbreakable (meaning too great an effort and a challenge for spies to take on).

Establishing a Secure (Anonymous) Session

Follow the following steps, with (1) for extra assurance of anonymity.

  1. Install Tails or prepare a Tails device (e.g. Live CD) to boot on a laptop, in order to simplify session creation with Tor (for those who insist on using Windows we have this guide [PDF]).
  2. Irrespective of (1), seek public wireless/wired access in something like a mall (preferably not a sit-down like a coffee shop, where cameras are operated and situated in a way that makes it easy to track individuals by faces, payment with debit/credit cards and so on). The idea is to seek a place — any place — where it is hard to know the identity of the connected party, even by association (e.g. friend or family). Do not use a portable telephone (these are notoriously not secure and regularly broadcast location).
  3. Refrain from doing any browsing that can help identify patterns or affiliations of the user (e.g. session cookies). In fact, unless Tails is used, it might be worth installing a new browser (Opera for instance) and doing nothing on it prior to the sending of material. This reduces the cookie trail/footprint.

Send the material

Once logged in anonymously, anonymously (do not log in) submit text through Pastebin and take the resultant URL for later pasting. Do not pass PDFs for non-textual material. Instead take shots of them, to reduce/eliminate metadata which is often being passed along with them. Then submit to Anonmgur and make a note of the resultant URL for later pasting.

This is typically a one-way communication channel, so add any context which is necessary, then link to the above material as follows:

  • Log in to the #techrights IRC Channel via the Web browser.
  • Choose a pseudonym and sooner or later we will get around to seeing the new arrival and checking what there is to be said (there are dozens of us there).
  • Drop the link/s in the channel. If someone is on the keyboard at the time, there might even be time for interaction. Do not say anything that can help reveal identity (sometimes the language itself is revealing).

Caveats

While not impenetrable, it would take an enormous amount of effort (and connections in several high places) to unmask a source who follows the steps above. Unless it’s a high-profile political leak, such an unmasking effort would be well beyond what’s worth pursuing (expensive and complicated). MAC address-level spying often assumes access to very high places (and deep into back rooms), so therein lies no significant danger, especially when the best anonymity tools are properly used and the incentive to unmask isn’t great enough at high places (usually the political or military establishments).

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New

  1. Links 19/4/2019: PyPy 7.1.1, LabPlot 2.6, Kipi Plugins 5.9.1 Released

    Links for the day

  2. Links 18/4/2019: Ubuntu and Derivatives Have Releases, digiKam 6.1.0, OpenSSH 8.0 and LibreOffice 6.2.3

    Links for the day

  3. Freedom is Not a Business and Those Who Make 'Business' by Giving it Away Deserve Naming

    Free software is being parceled and sold to private monopolisers; those who facilitate the process enrich themselves and pose a growing threat to freedom in general — a subject we intend to tackle in the near future

  4. Concluding the Linux Foundation (LF) “Putting the CON in Conference!” (Part 3)

    Conferences constructed or put together based on payments rather than merit pose a risk to the freedom of free software; we conclude our series about events set up by the largest of culprits, which profits from this erosion of freedom

  5. “Mention the War” (of Microsoft Against GNU/Linux)

    The GNU/Linux desktop (or laptops) seems to be languishing or deteriorating, making way for proprietary takeover in the form of Vista 10 and Chrome OS and “web apps” (surveillance); nobody seems too bothered — certainly not the Linux Foundation — by the fact that GNU/Linux itself is being relegated or demoted to a mere “app” on these surveillance platforms (WSL, Croûton and so on)

  6. The European Patent Office Does Not Care About the Law, Today's Management Constantly Attempts to Bypass the Law

    Many EPs (European Patents) are actually "IPs" (invalid patents); the EPO doesn't seem to care and it is again paying for corrupt scholars to toe the party line

  7. The US Supreme Court (SCOTUS) Once Again Pours Cold Water on Patent Maximalists

    Any hopes of a rebound or turnaround have just been shattered because a bizarre attack on the appeal process (misusing tribal immunity) fell on deaf ears and software patents definitely don't interest the highest court, which already deemed them invalid half a decade ago

  8. Links 17/4/2019: Qt 5.12.3 Released, Ola Bini Arrested (Political Stunts)

    Links for the day

  9. Links 16/4/2019: CentOS Turns 15, Qt Creator 4.9.0 Released

    Links for the day

  10. GNU/Linux is Being Eaten Alive by Large Corporations With Their Agenda

    A sort of corporate takeover, or moneyed interests at the expense of our freedom, can be seen as a 'soft coup' whose eventual outcome would involve all or most servers in 'the cloud' (surveillance with patent tax as part of the rental fees) and almost no laptops/desktops which aren't remotely controlled (and limit what's run on them, using something like UEFI 'secure boot')

  11. Reader's Claim That Rules Similar to the Code of Conduct (CoC) Were 'Imposed' on LibrePlanet and the FSF

    Restrictions on speech are said to have been spread and reached some of the most liberal circles, according to a credible veteran who opposes illiberal censorship

  12. Corporate Media Will Never Cover the EPO's Violations of the Law With Respect to Patent Scope

    The greed-driven gold rush for patents has resulted in a large pool of European Patents that have no legitimacy and are nowadays associated with low legal certainty; the media isn't interested in covering such a monumental disaster that poses a threat to the whole of Europe

  13. A Linux Foundation Run by People Who Reject Linux is Like a Children's Charity Whose Management Dislikes Children

    We remain concerned about the lack of commitment that the Linux Foundation has for Linux; much of the Linux Foundation's Board, for example, comes from hostile companies

  14. Links 15/4/2019: Linux 5.1 RC5 and SolydXK Reviewed

    Links for the day

  15. Links 14/4/2019: Blender 2.80 Release Plan and Ducktype 1.0

    Links for the day

  16. 'Poor' (Multi-Millionaire) Novell CEO, Who Colluded With Steve Ballmer Against GNU/Linux, is Trying to Censor Techrights

    Novell’s last CEO, a former IBMer who just like IBM decided to leverage software patents against the competition (threatening loads of companies using "platoons of patent lawyers"), has decided that siccing lawyers at us would be a good idea

  17. Guest Post: The Linux Foundation (LF) is “Putting the CON in Conference!” (Part 2)

    Calls for papers (CfP) and who gets to assess what's presented or what's not presented is a lesser-explored aspect, especially in this age when large corporate sponsors get to indirectly run entire 'community' events

  18. Patent Maximalists Are Enabling Injustices and Frauds

    It's time to come to grips with the simple fact that extreme patent lenience causes society to suffer and is mostly beneficial to bad actors; for the patent profession to maintain a level of credibility and legitimacy it must reject the deplorable, condemnable zealots

  19. Further Decreasing Focus on Software Patents in the United States as They Barely Exist in Valid Form Anymore

    No headway made after almost 4 months of Iancu-led stunts; software patents remain largely dead and buried, so we’re moving on to other topics

  20. Links 13/4/2019: Wine 4.6 and Emacs 26.2 Released

    Links for the day

  21. Links 12/4/2019: Mesa 19.0.2, Rust 1.34.0 and Flatpak 1.3.2 Released

    Links for the day

  22. Caricature: EPO Standing Tall

    A reader's response to the EPO's tall claims and fluff from yesterday

  23. The EPO is Slipping Out of Control Again and It's Another Battistelli-Like Mess With Disregard for the Rule of Law and Patent Scope

    The banker in chief is just 'printing' or 'minting' lots and lots of patents, even clearly bogus ones that lack substance to back their perceived value

  24. Global Finance Magazine Spreads Lies About the Unitary Patent and German Constitutional Court

    Alluding to the concept of a "unified European patent," some site connected to Class Editori S.p.A. and based in Manhattan/New York City tells obvious lies about the Unified Patent Court (UPC), possibly in an effort to sway outcomes and twist people's expectations

  25. New Building as Perfect Metaphor for the EPO Under the Frenchmen Battistelli and Campinos

    The EPO is in "propaganda mode" only 9 months after the latest French President took Office; the Office is seen as dishonest, even under the new leadership, which routinely lies to the public and to its own staff

  26. Links 11/4/2019: Twisted 19.2.0 Released, Assange Arrested

    Links for the day

  27. EPO Still Wasting Budget, Paying Media and Academics for Spin

    EPO money continues to flow like water into hands that are complicit in legitimising the EPO's management and policies; this highlights the grave dangers of lack of oversight at the EPO, not to mention lawlessness or lack of enforcement

  28. Links 10/4/2019: Microsoft's GDPR Trouble, New Fedora 29 Images

    Links for the day

  29. Linux Magazine is Run by Advertisers, Not GNU/Linux (and It's Hardly the Exception)

    Advertising is big money — so big in fact that publications no longer care what’s true but instead focus on what text brings them more income (from advertisers, of course)

  30. Guest Post: The Linux Foundation (LF) is “Putting the CON in Conference!” (Part 1)

    Proprietary software giants with their sponsorships and gifts are more like Trojan horses or parasites striving to infect the host; how can the LF be protected from them?

CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts