Strongbox Reactions, Part II
Jacob Harris, Jonathan Stray, and Mike Tigas weigh in
In our previous post on Strongbox, the New Yorker’s newly launched tool for secure data submissions by anonymous sources, we asked for your thoughts on the project’s uses, security, and potential benefits and problems for journalists and their sources.
Our first wave of responses includes thoughts from the New York Times’ Jacob Harris, the Overview Project’s (and the Columbia Graduate School of Journalism’s) Jonathan Stray, and Mike Tigas, OpenNews Fellow at ProPublica. Each responded via email, and we’re publishing their comments here in full because they were too interesting to excerpt.
Jacob Harris on Practical Newsroom Security
While I have more than a casual interest in this topic, I am extremely hesitant to call myself an expert, since complacency is the last thing you want when approaching a topic like this. Still, it looks like a very solid design with some very strong components:
1. The requirement to use TOR for the upload is an excellent development beyond the HTTPS-based approaches taken by some earlier dropboxes. While it will deter some leakers who aren’t too strong with computers, it’s important to set minimum standards to protect leakers’ safety. Tor is not perfect, but it does provide some additional protections against snooping where the leaker is uploading files to as well as protecting the leaker’s identity from the upload server (although they are taking precautions to not log information, Tor makes it safer by obscuring that information just in case)
2. Tor is not a magical leak safety device though. If a leaker is foolish enough to upload a file from their work computer, it still might be possible to figure out who he or she is by noting which machine has made a massive upload through a TOR relay recently. The upload site should explicitly front with some basic security precautions a leaker should take (here’s a good list), since it would be a shame to secure the communications, only to have the leaker undone by their own mistake (and mistakes will be made if you don’t).
3. One of the risks of a secure dropbox like this is that it essentially provides an express route for sending malware to senior editors at the publication (this is not tin-foil paranoia). This is why it makes sense to move documents from the dropbox to an separate viewing machine that is not connected to the Internet at all (and has no hard disk and is rebooted between use). This approach also is an interesting way of dealing with the operational failures likely within most newsrooms. One has heard tales of laptops being stolen with sensitive documents or printouts left on desks, this approach doesn’t allow any of that or infected malware to be moved into the regular intranet. The downside though is that if someone leaks a less-sensitive document, it’s effectively quarantined like the others. Also, if you wanted to run an excerpt of the document anywhere, what would you do? I suppose you could provide a printer (with a shredder nearby too), but…
4. The secure communication method highlights an inevitable tension in these situations. From a technical or legal standpoint, the ideal leaking situation would be the equivalent of an encrypted DVD mailed from a post box with no return address and no further communication. The problem is, that’s a nightmare for any journalists. Suppose you receive a document like this falling from the sky. Questions naturally arise: is this complete? Is this a fake? How do I verify it and the leaker without causing an agency investigation that might catch leakers? What context do I need to understand it? Is there more? So, you really need for a way for the journalists to communicate with the leaker. The problem is, such communication is the most likely way that a leaker will be implicated or prosecuted: recall that chat logs from Bradley Manning’s computer were introduced as evidence against him, and Kiriakou was convicted without needing to subpoena any reporters. So, what do you do? DeadDrop uses an approach where the leaker provides a passphrase and is the only one able to initiate communications, which is a start. However, imagine if law enforcement was able to hack into and control the machine quietly; and I’m not saying they can or will, but I like to imagine worst-possible cases. Even if prior messages were deleted, the law could request a further meet or try some other trick to solicit information from the leaker. Unlike OTR, the leaker has no plausible deniability (although OTR chat client external logging proved to be Manning’s nightmare). Some other approaches like Pond might work, but ultimately communication creates risks. But these risks are necessary to offset the risks of being conned by a convincing but fraudulent leak.
5. Even if communication were perfect, it would still create risks. The problem is that both sides to the leaking process must maintain perfect operational discipline. There are many ways a leaker might mess up, leaving electronic or financial trails that can be used as leads in investigations against them. Journalists are often notoriously bad at computer security and might expose confidential information by emailing it to themselves on Google or leaving it out in public. A perfect communication system would be slow and onerous to use, and both sides might be tempted to bypass it and talk via other channels. In short, people are generally the source of security lapses, and we can’t forget that here.
6. If you haven’t guessed, I am generally concerned with the idea of someone pwning the leak submission server. I personally would like to ensure that leaked documents are regularly removed from the leak server (so an attacker wouldn’t be able to glean information about submissions received or grab them for future cracking/decryption). I also am obviously concerned about communications being monitored/controlled by a third party. Regularly wiping the upload server seems like a prudent precaution. I’d even go further and suggest it also run off a CD-ROM/RAMdisk with the only storage being the disk for moving files to the viewing computer. Then, it could be regularly upgraded or rebooted without any exploits persisting on the hard disk
7. Of course, the big question hanging over any secure dropbox is, will you get any useful tips? For all the hoopla around Al Jazeera’s secure dropbox, I’m not sure they have received anything through it yet (the Palestine Papers were published at the same time, but never claimed obtained through it AFAIK). Are anonymous leakers out there and common, or was Bradley Manning a black swan? As much as I find this topic interesting, I still feel that there would be many benefits reaped from making insecure leaking easier and more effective at most newspapers. It was telling that Manning didn’t leak to the NYT, because he didn’t know where to start and ultimately wound up leaving a voicemail with the public editor (which meant it went nowhere). Most news orgs are more systemic about handling photo submissions and tweets than we are at handling tips, and there is likely a lot of value in tackling that problem (although it’s not as sexy).
8. Finally, if I were leaking something big, I probably would still avoid leaving an electronic trace entirely: put the files on a DVD encrypted with the recipient news org’s public key, mail it from a random mailbox with no return address with no information on how to reach me. Not helpful for the reporters and decidedly old-fashioned with a low chance of success, but no other option is as low-risk…
Jonathan Stray on Metadata, Usability, and Purpose
Strongbox solves a very specific problem: anonymous file submission. This is the model pioneered by Wikileaks, which backs up the promise of anonymity with strong technical guarantees.
And from a technical viewpoint, I find nothing to complain about. The Tor network is the gold standard for anonymous online communication, which should protect source identities well even if the New Yorker makes mistakes in its complicated data handling plan.
I am also excited that the underlying software is open-source, making this system potentially replicable at other news organizations. So this is a step forward. But I think we need to understand it is far from a complete solution to the problem of source security.
My concerns come from the context in which Strongbox will be used. Strongbox is a lovely tool, but it is not a complete secure communication strategy. It is good that Strongbox includes a simple two-way communication system, which allows journalists to leave messages for sources (though in my brief test it wasn’t clear that this feature was working.) But do journalists and sources know how they must use this feature?
If the journalist and the source ever communicate through any other medium—phone calls, instant messages, email—this leaves records which can be used to identify the source. This is true even when encryption is used, because encryption only hides what you are saying, not who you are talking to. Whether or not this is a problem depends on who you are trying to keep secrets from—as the recent secret DOJ subpoena of AP phone records shows.
Moreover, the submitted material may contain metadata or other identifying material, such as the hidden “author” field in a Word document, or the location data in photographs (which has already blown at least one source.) Sources won’t be thinking about this, and I see no mention of metadata scrubbing in the New Yorker’s data handling plan.
In short, no tool can remove the need for thinking very carefully about security. I teach security in terms of a threat modeling framework, where journalists and sources alike must think through what they have to protect, who they have to protect it from, and all the different ways their adversary can win.
Strongbox is a good tool, but where is the training?
I am also concerned that the system may still be too hard to use. The Strongbox web service has a simple, clean interface —and bravo for that—but first the user has to get Tor running. In my experience, even savvy technologists vastly overestimate the number of people who can reliably complete tasks like “download and install this software.” If these users don’t also understand why such drastic measures are necessary, they will find ways to accomplish their goals with much simpler tools—like email. Strongbox cannot help users who are too frustrated to get it working properly.
How many users will avoid Strongbox because it is too hard to set up, and just email the New Yorker instead? I don’t know. Nobody does. There doesn’t seem to be any usability testing yet.
Finally, although anonymous submission technology is important, and possibly transformative, it only matters when the material in question is both highly sensitive and can be verified independently of the identity of the source. Further, it must be possible to complete the reporting without much communication with the source (dead-drop messaging is a terrible way to work on deadline, and using any other method of communication voids the security.)
It’s not clear to me how many stories really fall into this category. I am impressed by the thought and effort that went into Strongbox, but the ultimate proof of the tool will be in the journalism that the New Yorker does with it.
Mike Tigas on Tor and Trade-offs
I’m still diving in myself, but a few random thoughts:
Tor is hard. Even with the Tor Browser Bundle (as easy as “download, unzip, and run program”, no need to install anything), the usability of Tor leaves much to be desired unless you’re someone with something to hide. This tool obviously won’t be for everyone, but the existence of strong tools for strong circumstances (whistleblowers come to mind) can elevate and protect the journalistic process.
@jonathanstray Safe deposit boxes at banks aren’t exactly convenient, either. Software is (slowly) getting better at it, at least.— Mike Tigas (@mtigas) May 15, 2013
Security nerds will debate whether this is bulletproof or not—but what is, in this day and age? This tool, if used at all, is far more secure than the existing state of affairs for anonymous sources. (E-mails? Phone calls? Please.) In my (rushed) opinion, it’s a good sign that the app stands on the shoulders of giants: the site operates as a Tor hidden service and the most important security-related code (submission page, crypto) are beautifully simple and simply pass data to GPG, a well-known secure encryption tool.
It appears as though the install process is fairly complex at the moment, so not everyone will have a “DeadDrop” server running right away, but many in the journalism and tech communities are working on it.
I gave a general talk about cybersecurity at the NICAR conference in March (slides here)—briefly mentioning the similar anonymous dropbox that Wikileaks once provided—and I’m working on the For Journalism project to create an online course on cybersecurity for journalists this year. As Twitter hackings and broad subpoenas become more and more of a hot topic, it’s my hope that journalists become aware of the issue and learn how to better protect themselves and their sources.
Jacob Harris is a Senior Software Architect who works with a kickass team of fellow newsroom developers at the New York Times.
Journalist, data scientist. Teaching computational journalism at Columbia, built @overviewproject. Circus geek. Ask me anything.
Developer, journalism troublemaker, internet troll. Knight-Mozilla @OpenNews Fellow at @ProPublica. Also: Onion Browser (Tor iOS), @TabulaPDF, @ForJournalism.