10.25.15

How to Securely Provide Techrights With Information, Documents

Posted in Site News at 6:35 am by Dr. Roy Schestowitz

The key is anonymity

A lock

Summary: Advice for potential whistleblowers, or sources with evidence of abuse that they wish to anonymously share with the world (via Techrights)

OVER the years Techrights has received critical information from dozens of sources, all of which remained safe (unexposed). But this does not mean that all of them did this safely. This article provides advice for those who wish to pass to us information in the safest of ways, without having to do a lot of complicated things.

Why Not Off-the-shelf, Self-contained Secure Software?

Over the past 6 months or so we have looked into various bits of Free/libre software, e.g. Briefkasten (no longer actively maintained, as of 2013) and SecureDrop, which is too big a project (massive also in the source code sense compared to Briefkasten, not to mention difficult to set up). After much effort we decided to settle for something which is simpler to use and is much faster to use. To facilitate leaking of sensitive documents (e.g. evidence of misconduct) we mostly require anonymity, as the content of the material does not — in its own right — do much (if anything) to expose the source.

Typically, whole frameworks are built for distributed and de-centralised leaking. This requires quite a bit of hardware, which in turn needs to be set up and properly configured. It’s complicated for both sides (source and receiver) and it’s usually developed for large teams of journalists, for constant interaction with sources, or a regular flow of material. We do not require something this advanced. In practice, a one-time document drop is usually enough.

Our Proposed Solution

We have decided that the following method would be good enough given the nature of leaks we normally receive. They are typically about technology, rather than some military or surveillance apparatus such as the CIA’s assassination (by drones) programme or the NSA’s mass surveillance programme.

For extra security, we kindly ask people to ensure anonymity/privacy tools are used, notably Tor. Without it, privacy/anonymity cannot be assured to a high degree. It’s possible, but it would not be unbreakable (meaning too great an effort and a challenge for spies to take on).

Establishing a Secure (Anonymous) Session

Follow the following steps, with (1) for extra assurance of anonymity.

  1. Install Tails or prepare a Tails device (e.g. Live CD) to boot on a laptop, in order to simplify session creation with Tor (for those who insist on using Windows we have this guide [PDF]).
  2. Irrespective of (1), seek public wireless/wired access in something like a mall (preferably not a sit-down like a coffee shop, where cameras are operated and situated in a way that makes it easy to track individuals by faces, payment with debit/credit cards and so on). The idea is to seek a place — any place — where it is hard to know the identity of the connected party, even by association (e.g. friend or family). Do not use a portable telephone (these are notoriously not secure and regularly broadcast location).
  3. Refrain from doing any browsing that can help identify patterns or affiliations of the user (e.g. session cookies). In fact, unless Tails is used, it might be worth installing a new browser (Opera for instance) and doing nothing on it prior to the sending of material. This reduces the cookie trail/footprint.

Send the material

Once logged in anonymously, anonymously (do not log in) submit text through Pastebin and take the resultant URL for later pasting. Do not pass PDFs for non-textual material. Instead take shots of them, to reduce/eliminate metadata which is often being passed along with them. Then submit to Anonmgur and make a note of the resultant URL for later pasting.

This is typically a one-way communication channel, so add any context which is necessary, then link to the above material as follows:

  • Log in to the #techrights IRC Channel via the Web browser.
  • Choose a pseudonym and sooner or later we will get around to seeing the new arrival and checking what there is to be said (there are dozens of us there).
  • Drop the link/s in the channel. If someone is on the keyboard at the time, there might even be time for interaction. Do not say anything that can help reveal identity (sometimes the language itself is revealing).

Caveats

While not impenetrable, it would take an enormous amount of effort (and connections in several high places) to unmask a source who follows the steps above. Unless it’s a high-profile political leak, such an unmasking effort would be well beyond what’s worth pursuing (expensive and complicated). MAC address-level spying often assumes access to very high places (and deep into back rooms), so therein lies no significant danger, especially when the best anonymity tools are properly used and the incentive to unmask isn’t great enough at high places (usually the political or military establishments).

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

This post is also available in Gemini over at:

gemini://gemini.techrights.org/2015/10/25/techrights-doc-drop/

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New

  1. Links 7/3/2021: AviDemux 2.7.8, Thunar 4.16.4

    Links for the day

  2. Links 7/3/2021: Sparky 2021.03, SystemRescue 8.00, and FreeBSD 13.0 RC1

    Links for the day

  3. IRC Proceedings: Saturday, March 06, 2021

    IRC logs for Saturday, March 06, 2021

  4. How To Deal With Your Raspberry Spy -- Part V: All The Rest

    The final part of a series on liberating the Raspberry Spy from an untrustworthy OS that secretly adds Microsoft keys and proprietary software repositories of Microsoft

  5. How To Deal With Your Raspberry Spy -- Part IV: Doing The Task

    We now spell out the steps taken to actually replace the Raspberry Pi OS with something more trustworthy

  6. Corporations Do Not Represent Communities and Activists, They Just Exploit Them, Discredit Them, and Hijack Their Hard Work

    The AstroTurfing and the Googlebombing campaigns of large corporations would have us believe that genuine activists are toxic and malicious people, whereas corporations exist to save the world from evil people; don’t fall for those Public Relations tactics (a gross inversion of narrative)

  7. Why the 'Raspberry Spy' Blunder is a Lot More Serious and Profound Than the Corporate Media is Willing to Acknowledge

    As this video points out, the ongoing series by Gavin L. Rebeiro is justified by the fact that the 'Raspberry Spy' Foundation continues to work with and some might say for Microsoft; it sold out millions of customers

  8. Links 6/3/2021: “SLS” Mitigation and Exiv2/KDE Project

    Links for the day

  9. How To Deal With Your Raspberry Spy -- Part III: Fundamentals

    Following the introductory and preliminary parts we dive deeper into the steps taken to replace the Raspberry Pi's GNU- and Linux-based OS with something like NetBSD

  10. Links 6/3/2021: Linux 5.12 RC2 and OpenSUSE Tumbleweed Woes

    Links for the day

  11. IRC Proceedings: Friday, March 05, 2021

    IRC logs for Friday, March 05, 2021

  12. Links 5/3/2021: Qubes OS 4.0.4 Release and Wine's Project Leader is Open to Wayland

    Links for the day

  13. How To Deal With Your Raspberry Spy -- Part II: Introduction

    Following Part I, published a few hours ago, let's examine what happened from a technical perspective and what can be done about it technically

  14. How To Deal With Your Raspberry Spy -- Part I: Acknowledgements

    March 2, 2021 blog post series from a guest author; for some background, see blog posts from Microsoft in the official blog of Raspberry Pi and our response to these

  15. German Decision on Unitary Patent/UPC Will Take Years (and It Doesn't Matter Because the Whole Thing is Dead Already)

    Kluwer Patent Blog's Dr. Bausch explains why the UPC is pretty much doomed, as it cannot be ratified any time soon and probably will never be ratified either (for a multitude of reasons, including Brexit)

  16. Techrights in Australia (IPFS and Gemini)

    Allies in Australia will help Techrights serve material from another server; we're still bettering ourselves for an era of oppressive World Wide Web

  17. Professional Troll Matthew Garrett Spreads Libel, Defamation and Slander About the Free Software Community to Entertain Microsoft and Friends

    After months of parking in our IRC channels to provoke and troll people (and try to collect 'dirt' from responses) the professional troll Matthew Garrett has been for many years shows his true colours again

  18. Links 5/3/2021: Linux 5.12-rc2 Imminent, Linux Lite 5.4 RC1 in Review

    Links for the day

  19. IRC Proceedings: Thursday, March 04, 2021

    IRC logs for Thursday, March 04, 2021

  20. Links 4/3/2021: LibreOffice 7.1.1, Cockpit 239, Many Stable Kernel Releases

    Links for the day

  21. Links 4/3/2021: Pardus 19.5 is Out and Free Software Foundation Gets Consulting Grant

    Links for the day

  22. IRC Proceedings: Wednesday, March 03, 2021

    IRC logs for Wednesday, March 03, 2021

  23. The Free Software Foundation Should Re-add Richard Stallman to the Board

    Dr. Richard Stallman is missed by many who perceive him to have been wrongly treated; putting Stallman back in the Board (at the very least) would help the image of the Free Software Foundation more than the newly-announced work with Community Consulting Teams of Boston

  24. Free Software Calling

    Fewer people are willing to "put up with the shit" given by so-called 'Big Tech', seeing that it's mostly about social control rather than enablement or emancipation

  25. Meme: EPO Management Totally Gets 'Tehc'

    The bestest patent office in the whole wide world is besting the “hey hi” (AI) cutting edge; don't worry about exam and certification integrity

  26. The EPO's Software Blunders Are Inevitable Outcome of Technically Clueless Management Which Grants Illegal Patents on Software

    The "clusterfuck" which the EPO has become is negatively affecting not only EPO staff but also stakeholders, who sink into depression and sometimes anger, even fury, at great expense to their health; this is how institutions die (for a quick but short money grab, a culmination of corruption which piggybacks half a century of goodwill gestures)

  27. Links 3/3/2021: OpenSUSE Leap 15.3 Beta, GNU Denemo 2.5, and NomadBSD 1.4

    Links for the day

  28. What Free Software Organisations Can Learn From Australia's Rape Crisis

    Reprinted with permission from Daniel Pocock

  29. Microsoft Weaponises (and Further Spreads) Racism to Distract From Its Own Incompetence (and 'Five Eyes' Collusion for Back Door Access)

    Racist Microsoft is at it again; we're meant to think that China is evil for doing exactly what the United States has been doing but more importantly we're told not to blame Microsoft for shoddy code and back doors (classic blame-shifting tactics and overt distortion of facts, as we saw in the wake of SolarWinds backdoors)

  30. GNU/Linux News Sites Need to Promote Software Freedom, Not Binary and Proprietary Blobs Merely Compiled for GNU/Linux

    There has been lots of proprietary fluff in GNU/Linux 'news' sites so far this week; it merits an explanation or clarification, e.g. why we should generally reject proprietary stuff and instead promote Free/libre alternatives

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts