×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The New Yorker Launches 'Strongbox' For Secure Anonymous Leaks

Soulskill posted about a year ago | from the sing-like-a-really-safe-canary dept.

Open Source 94

Today The New Yorker unveiled a project called Strongbox, which aims to let sources share tips and leaks with the news organization in a secure manner. It makes use of the TOR network and encrypts file uploads with PGP. Once the files are uploaded, they're transferred via thumb-drive to a laptop that isn't connected to the internet, which is erased every time it is powered on and booted with a live CD. The publication won't record any details about your visit, so even a government request to look at their records will fail to find any useful information. "There’s a growing technology gap: phone records, e-mail, computer forensics, and outright hacking are valuable weapons for anyone looking to identify a journalist’s source. With some exceptions, the press has done little to keep pace: our information-security efforts tend to gravitate toward the parts of our infrastructure that accept credit cards." Strongbox is actually just The New Yorker's version of a secure information-sharing platform called DeadDrop, built by Aaron Swartz shortly before his death. DeadDrop is free software.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

94 comments

Is it in a bunker ? (2, Funny)

Anonymous Coward | about a year ago | (#43734179)

Because things are always more secure inside of a bunker.

Re:Is it in a bunker ? (2)

durrr (1316311) | about a year ago | (#43734335)

"a secure information-sharing platform called DeadDrop, built by Aaron Swartz shortly before he DroppedDead."

I'm not sure I want to use that, it sounds cursed.

Re:Is it in a bunker ? (4, Funny)

K. S. Kyosuke (729550) | about a year ago | (#43734405)

I'm not sure I want to use that, it sounds cursed.

Why, yes, it's black magic; he killed himself so that his fresh code would be imbued with his life force, giving a spirit guardian to the software and thereby making any hacking attempt instantly fatal to government cloak-and-port-mapper types. Fork it on Github right now!

Re:Is it in a bunker ? (1)

Frosty Piss (770223) | about a year ago | (#43734537)

"a secure information-sharing platform called DeadDrop, built by Aaron Swartz shortly before he DroppedDead."

There is that. But also, The New Yorker is not really the first publication that comes to mind when I think of imparting secrets to a "news organization".

I mean, what would I send them? The inner secrets of socialites, dilitants, and various beat arteeests?

Re:Is it in a bunker ? (2, Funny)

K. S. Kyosuke (729550) | about a year ago | (#43734747)

Who are "dilitants"? Dilettante militants?

Hope the editors like Ecuador (2)

Filter (6719) | about a year ago | (#43734201)

Wasn't there a guy who tried this once before?

Re:Hope the editors like Ecuador (1)

Ken_g6 (775014) | about a year ago | (#43734389)

Wasn't there a guy who tried this once before?

Yes, but he wasn't American and wasn't part of an official news organization.

Of course, their phone records might still get subpoenaed.

Re:Hope the editors like Ecuador (2)

Fjandr (66656) | about a year ago | (#43745409)

Given the Justice Department's latest actions, subpoenas aren't necessary anymore to troll for information that's not even connected to an active investigation.

They just wiretap and obtain phone records whenever the hell they feel like it now.

Re:Hope the editors like Ecuador (1)

Joce640k (829181) | about a year ago | (#43734531)

Wasn't there a guy who tried this once before?

The men in black SUVs paid him a visit. Just like they'll pay this guy a visit...

But does it work well in practice? (5, Interesting)

nweaver (113078) | about a year ago | (#43734203)

Strongbox technically is very strong, without a doubt. But, being TOR based, it will be hard to use. Worse, a potential leaker not only must use their own computer (ideally a throwaway computer), but they can never have VISITED the Strongbox information page from work, because otherwise any leak to the New Yorker will be suspicious.

And Strongbox's information page drives Ghostery crazy! Not a good sign for a privacy tool.

Probably more important is general Operational Security [wired.com] , including burner phones and/or burner computers.

Julia Angwin has an excellent additional point: Physical mail (dropped in a random post-box with a bogus return address) is perhaps the best way for anonymous one-way communication. The USPS will record address information when asked by law enforcement, but (currently) doesn't record this on all mail. Thus there is no history and, even if there was, this can only be traced to the processing post office. Perhaps the best use of the mail is simply to send the reporter a burner phone preprogrammed so that the reporter can call your burner.

Re:But does it work well in practice? (2)

EmagGeek (574360) | about a year ago | (#43734273)

Really? I only got six bugs with Ghostery.

In contrast, I routinely get more than 20 at money.cnn.com.

But you're right. For any "privacy" company to be tracking you with six bugs says a lot about their real concern for privacy.

Re:But does it work well in practice? (0)

Anonymous Coward | about a year ago | (#43734297)

The only potential issue with mailing is if identifying information is recorded on the physical media. Many (all?) optical disc burners will include a serial number on the media they write. Flash drives have a unique serial number that is cached by most OSs. If your mail is intercepted these tidbits can be tied to you if your computer is later seized. This risk can be mitigated by only using a virgin flash drive (cash purchase or eBay) from a liveCD OS. Another option is figuring out how to modify the serial number of a burner.

Re: But does it work well in practice? (0)

Anonymous Coward | about a year ago | (#43735041)

Or you could use the latest high tech way to write information securely. A pen. And paper. If you're serious about it use gloves to eliminate fingerprints.

Re:But does it work well in practice? (4, Interesting)

Anonymous Coward | about a year ago | (#43734337)

Julia Angwin has an excellent additional point: Physical mail (dropped in a random post-box with a bogus return address) is perhaps the best way for anonymous one-way communication. The USPS will record address information when asked by law enforcement, but (currently) doesn't record this on all mail. Thus there is no history and, even if there was, this can only be traced to the processing post office. Perhaps the best use of the mail is simply to send the reporter a burner phone preprogrammed so that the reporter can call your burner.

All the time making sure not to get seen on CCTV and wearing throw-away gloves and clothes. Also ensure not to leave any DNA on or in the package. Compare that to using a LiveCD with TOR.

These days the risks of doing something private in the real world are just as hard as on the internet.

Re:But does it work well in practice? (4, Insightful)

bussdriver (620565) | about a year ago | (#43734493)

Depends on the COST to figure out the identity. DNA isn't cheap or quickly checked, you have to be worth it.

Scanning a DVD for the burner's serial number probably takes little effort depending on how widespread the tools are. I wasn't aware they burned that info--- they do? I know even CDs have manufacturer info on them but that didn't seem that useful. Then looking that up against a db containing them might also be easy but somehow I doubt the db contains that much info... probably more labor than a DNA check; blueray... that probably has your name burned into it. (sony made them)

Printing on paper? your inkjet is printing the printer's serial number onto the paper- I would think the feds would have that software and anybody with access probably can use it. tracking that down to you is probably much easier than DVDs but still involved.

Flash? well, buy a new one in cash and use it only once. make sure your OS isn't putting hidden files onto it... mount it in a virtual machine just to be safe. you could also find your OS's cache of UUIDs and delete it... but if they are accessing your computer to find if you ever mounted the drive you are in a bad situation already.

TOR might be great but one has to wonder -- the feds could be half the nodes and with enough of them they could detect you. they can use it themselves without concern about this but you on the other hand... could be unlucky. plus as some records have shown, they've found people by tracking when they show up in chat rooms and when they went on TOR matching... then you have all these horrible "cloud" apps today-- even your simple calculator app is connecting to the "cloud" today! all these apps doing "harmless" things in the background online is providing a signature of their own, if not giving out identifiers.

Re:But does it work well in practice? (1)

Stolovaya (1019922) | about a year ago | (#43737279)

I'm rather curious, how can you find the serial number from your printer on a piece of paper printed from that printer?

Re:But does it work well in practice? (0)

Anonymous Coward | about a year ago | (#43737557)

Colour printers these days are good enough that paper-money forgery is a concern. As a result, colour printers are required to watermark all printouts with their serial number, generally using small yellow dots (as those are hard for the eye to pick up, thus not visibly affecting print quality).

Do B&W printers do this too, using some other mechanism? More relevant question: how much do you want to bet they don't?

Re:But does it work well in practice? (1)

cheekyjohnson (1873388) | about a year ago | (#43738291)

Just another example of sacrificing freedom and privacy for perceived safety (from counterfeiting, in this case). Even though this has been known about for quite a while now, it still seems just as pathetic.

Re:But does it work well in practice? (1)

tehcyder (746570) | about a year ago | (#43738923)

Just another example of sacrificing freedom and privacy for perceived safety (from counterfeiting, in this case). Even though this has been known about for quite a while now, it still seems just as pathetic.

No, counterfeiting is a genuine problem, not something made up to stop you from printing out child abuse images anonymously..

But no doubt you think we should not only go back to the Gold Standard, but only use actual gold pieces as currency too.

Re:But does it work well in practice? (3, Interesting)

cheekyjohnson (1873388) | about a year ago | (#43738995)

But no doubt you think we should not only go back to the Gold Standard, but only use actual gold pieces as currency too.

What? I said nothing of the sort.

The problem with this is that it people are assumed to be criminals by default and privacy is sacrificed so we can thwart the evil bogeymen who threaten us so. That's exactly the mindset that allows for people to be molested when they want to get on a plane in the US.

Re:But does it work well in practice? (0)

Anonymous Coward | about a year ago | (#43744029)

If we don't go back to the gold system, how do you expect our paper money system to survive if counterfeiting is easy?
The economy would collapse and we'd be back to the stone ages.

And what does anti-counterfeiting have to do with privacy anyway?

Re:But does it work well in practice? (1)

cheekyjohnson (1873388) | about a year ago | (#43748517)

If we don't go back to the gold system, how do you expect our paper money system to survive if counterfeiting is easy?

I err on the side of freedom, so safety isn't a question for me.

And what does anti-counterfeiting have to do with privacy anyway?

You can't figure out how printing nearly-invisible dots on paper printed from a printer so that the government will more easily be able to catch counterfeiters (and anyone else they feel like harassing) is related to privacy? Really?

Re:But does it work well in practice? (0)

Anonymous Coward | about a year ago | (#43741069)

What if I pull the yellow out?

Re:But does it work well in practice? (2)

serialband (447336) | about a year ago | (#43737961)

There's an EFF project on identifying the tracking codes. It's mainly done with color laser printouts using yellow dots. If you know what your printer is printing, you could theoretically introduce yellow dot patterns to randomize your serial number and mess up the identification.

http://w2.eff.org/Privacy/printers/docucolor/

Re:But does it work well in practice? (0)

Anonymous Coward | about a year ago | (#43734433)

There is another problem. The explanation says:

Once you have access to the Tor network, go to Strongbox at http://tnysbtbxsf356hiy.onion, where you will find further instructions on how to submit files and messages to The New Yorker.

Since the instructions on the onion routed page are provided by The New Yorker and they can be forced with a National Security Letter to comply with an investigation without being able to tell anyone, it should be possible to catch the whistleblowers by giving them bogus information on how to proceed or gaining direct control of the page and the receiving computer.

Re:But does it work well in practice? (1)

cornholed (1312635) | about a year ago | (#43734667)

But, being TOR based, it will be hard to use.

Because using something like tor2web.org is sooooooooo incredibly hard, let alone downloading and installing a new browser...

Re:But does it work well in practice? (0)

Anonymous Coward | about a year ago | (#43734981)

It's still a pain. Having run TOR briefly to see what it was all about when the Iranian election crisis was going on, it was so painfully slow that I nearly died of boredom waiting to get anything done.

Not to mention that if I was a leaker, the last thing I want is any proof whatsoever that I even knew how to operate TOR. If you were on a list of people they had to think about, just having TOR on your machine puts you on an even shorter list. And if you thought you deleted it? You didn't.

They may not be able to convict you of anything, but that doesn't keep certain parts of the government from finding out it was you and satisfying themselves beyond a reasonable doubt. After all, if you're leaking, those people aren't exactly playing by the rules to begin with, are they?

I think burner phones, or even good old fashioned dead drops and other tradecraft is the best way of doing this. If you absolutely have to use the Internet, then don't do it at home, use a VM, and then maybe use TOR on top of that. When you are done wipe that all with a sledgehammer and throw it in a lake. Just don't count on TOR by itself.

Re:But does it work well in practice? (0)

Anonymous Coward | about a year ago | (#43739295)

It's still a pain. Having run TOR briefly to see what it was all about when the Iranian election crisis was going on, it was so painfully slow that I nearly died of boredom waiting to get anything done.

'boredom' should not be a problem. If having the submission process be a pain and slow is too much for you then perhaps what you have to blow the whistle on isn't worth it. I've been a whistle blower, I can't imagine ever thinking "screw this, I have to take the extra effort to actually communicate this in a way that protects me". If you're blowing the whistle then you're probably the sort of person who is not going to let little things like that stand in your way.

Re:But does it work well in practice? (0)

Anonymous Coward | about a year ago | (#43734765)

Strongbox technically is very strong, without a doubt

yeah, because all strong authentication uses google authenticator on ubuntu boxes with kernel patches with a variety of known vulnerabilities in it so it can generate LOL session id's for its crypto done in an interpreter....

Re:But does it work well in practice? (1)

icebraining (1313345) | about a year ago | (#43735069)

You have no idea what's you're talking about. Google Authenticator is a client application and it doesn't even run on Ubuntu. And interpreters are not inherently less secure than compiled binaries, because a binary is itself just code being interpreted by the CPU, as millions of exploits based on modifying and injecting (shell)code show.

Re:But does it work well in practice? (1)

LordLimecat (1103839) | about a year ago | (#43734865)

Tor cloaks your requests both by encrypting the HTTP part, and by masking the DNS part. If you access it over tor at work, all anyone will know is that youre using tor.

Re:But does it work well in practice? (1)

tehcyder (746570) | about a year ago | (#43739099)

Tor cloaks your requests both by encrypting the HTTP part, and by masking the DNS part. If you access it over tor at work, all anyone will know is that youre using tor.

If you lived in a genuine totalitarian state, they'd just use the fact that you used tor at all as evidence that you were an enemy of the state and torture the information out of you.

Re:But does it work well in practice? (1)

mynamestolen (2566945) | about a year ago | (#43735907)

Physical printout is dangerous if the physical is photocopied or kept. 1. There's forensics on the physical. 2. Many orgs use a kerning algorithim (the tiny spacing between letters is altered in a code which records who and where and when issued the printer command.)

Re:But does it work well in practice? (1)

davydagger (2566757) | about a year ago | (#43736221)

1. Fuck ghostery, its closed source nonsense.

2. Throw away computer, try throw away operating system. Its much easier.
tails
https://tails.boum.org/

libertre linux
http://sourceforge.net/projects/liberte/?source=directory

And there are many more, those are just too that automaticly transmit everything in TOR.

Re:But does it work well in practice? (2)

chihowa (366380) | about a year ago | (#43737227)

1. Fuck ghostery, its closed source nonsense.

Well, that's a weird response. Ghostery may be closed source, but what it's doing isn't exactly magic. Read the page source and linked javascript yourself. You can find the trackers by hand.
Dismissing the claim of multiple tracking scripts on a privacy-required site because you don't like the tool someone used is a bizarre way to operate.

Re:But does it work well in practice? (1)

davydagger (2566757) | about a year ago | (#43741315)

there are enough programs like noscript that work just as well, and are Free/Open.

ghostery breaks things just like noscript does, and I think noscript gives you more control. Also, it comes down to trust, do you TRUST a closed source app to provide you privacy?

If its free to use, and closed source, its still a commericial, or a wannabe commericial product, which means they have to make money on it somehow. If your not paying for it, how are they making money? Either there its gimped or hobbled in an obnoxious way that makes you want to buy the pro-version, or they are selling "you, the consumer" somehow.

If its Free as in speech, or open source, its most likely a community project worked on as a collorberative effort by people who want functionality, or as value added by a company who's not looking to directly profit off it.

Re:But does it work well in practice? (1)

drinkypoo (153816) | about a year ago | (#43736343)

The USPS will record address information when asked by law enforcement, but (currently) doesn't record this on all mail.

The federal government is recording and pattern matching email and voice calls. I'm damned sure that they're logging this data at the USPS. If the USPS isn't also logging it, that's goddamned pathetic. My postmaster believes the same stupid shit, though.

Based on TOR (2, Interesting)

Anonymous Coward | about a year ago | (#43734229)

I have the impression that TOR is probably compromised by an assortment of constitution trampling three letter agencies, I just don't get why it keeps getting pushed as some shining beacon of privacy. I have to assume that 1/3 of the exit nodes are the feds fishing, 1/3 are criminals fishing and 1/3 are privacy advocates who somehow don't seem to know about the other 2/3.

Please educate me if I am wrong.

Re:Based on TOR (1, Redundant)

MightyYar (622222) | about a year ago | (#43734441)

If the 3-letter agency is not one who cares about your activity in particular, then what do you care?

Re:Based on TOR (0)

Anonymous Coward | about a year ago | (#43735043)

Between the NSA, FBI, DOD, CIA, and some random part of DHS, I'd have trouble thinking of some three-letter agency that *wouldn't* be interested in your TOR node.

Besides, if they store that information, all they need to do is cross-reference it on demand. And please don't think that these guys won't talk to each other. They may have trouble finding terrorists, but they have no problem cooperating to find leakers who threaten them personally. Especially if someone in a higher position mentions it being a problem while on the golf course with his buddy in the other agency.

Re:Based on TOR (1)

MightyYar (622222) | about a year ago | (#43736273)

Those numbskulls couldn't catch a terrorist even after twice being warned by Russia and then interviewing him. The chances that they can actually intercept and make sense out of an encrypted upload about some issue that they probably don't even care about are about zero.

Re:Based on TOR (1)

Demonantis (1340557) | about a year ago | (#43742379)

They tend not to share all information with each other. They all have different goals and politics. It is one of the reasons explaining how 911 occurred while the NSA, FBI, and CIA were tracking the hijackers. I have no idea if it has gotten better since that time.

Re:Based on TOR (-1)

Anonymous Coward | about a year ago | (#43734443)

You're wrong, and you sound like a tinfoil hatter. I suppose you also think 9/11 was an "inside job".

Re:Based on TOR (1)

game kid (805301) | about a year ago | (#43734501)

I have the impression that humanity is probably compromised by an assortment of constitution trampling three letter agencies, I just don't get why it keeps getting pushed as some shining beacon of goodness. I have to assume that 1/3 of the people are the feds fishing, 1/3 are criminals fishing and 1/3 are privacy advocates who somehow don't seem to know about the other 2/3.

Please educate me if I am wrong.

Re:Based on TOR (0)

Anonymous Coward | about a year ago | (#43734613)

You're free to exit humanity if you don't feel it's worth the privacy risks to your blog of cat pictures. There's most likely an object sharp enough to cut certain of your key veins nearby.

Re:Based on TOR (1)

cheekyjohnson (1873388) | about a year ago | (#43738335)

I just don't get why it keeps getting pushed as some shining beacon of goodness.

I don't think anyone with a brain does that.

Re:Based on TOR (0)

Anonymous Coward | about a year ago | (#43735621)

Indeed, you cannot trust exit nodes. So take that into account when you use them.
For example, if you use HTTPS or such, the exit node cannot MITM you (HTTPS vulnerabilities notwithstanding).
And if you have a plaintext connection, don't leak identifying information on there in any way (like browser cookies).
Tor only hides your IP, that is all. For having anonymity, be sure to hide all the other identifying information in the other layers.

It's like everybody always walks around with a name tag. If someone wants to be anonymous, he really has to remove the name tag, which Tor does. But he will also need to take care of never saying their real name, shred documents before throwing them out, etc.
And without tor or something like that, even if you never say your name and always shred your docs, you will still have the name tag.

(sorry, I don't have a car, so no car analogy)

And, if you use Tor hidden services, there is no exit node to MITM you, only the hidden service itself can wiretap/phish.

Missing a link? (1, Interesting)

interkin3tic (1469267) | about a year ago | (#43734257)

So they put these files on a thumb drive and put it onto this computer which can't be hacked. How are they getting it from the strongbox server to the USB thumb stick? Are the files only decrypted once they're on the super secure laptop?

Re:Missing a link? (3, Funny)

Cenan (1892902) | about a year ago | (#43734463)

Read TFA, the answer is inthere waiting for you. I won't spoil the ending for you.

Oh great ... (4, Insightful)

gstoddart (321705) | about a year ago | (#43734303)

Now they'll decree the press are terrorists and say it's illegal to do this since it prevents 'awful' monitoring.

I think this whole snooping on the reporters thing has them deciding to fight back and send a big "F you".

Re:Oh great ... (3, Informative)

Fnord666 (889225) | about a year ago | (#43737117)

I think this whole snooping on the reporters thing has them deciding to fight back and send a big "F you".

Double plus good on this then. The media has been too damn cozy with both corporations and governments for a while now. Their relationship should be adversarial rather than cooperative.

Re:Oh great ... (4, Insightful)

Karl Cocknozzle (514413) | about a year ago | (#43737317)

Now they'll decree the press are terrorists and say it's illegal to do this since it prevents 'awful' monitoring.

I think this whole snooping on the reporters thing has them deciding to fight back and send a big "F you".

I find it offensive that they needed it to happen to them personally before they did anything about it. This has been a "fact of life" of "Post-9/11" America for over a decade now, and the first the AP reports significantly on snooping is because it happened to them. ...And before that?

Re:Oh great ... (1)

dgatwood (11270) | about a year ago | (#43738347)

It's human nature to say, "It won't happen to me," until it does. Nearly everything bad in the world would be prevented if we could simply stamp out that part of human nature.

Re:Oh great ... (0)

Anonymous Coward | about a year ago | (#43738443)

What does it mean to say that it's "human nature"? It's a common mindset for imbeciles to have, but I complain whether or not these things happen to me because they are unjust regardless of who it happens to.

Re:Oh great ... (1)

dgatwood (11270) | about a year ago | (#43738557)

Human nature means that the vast majority of humans act that way. I complain whether things happen to me or not, too, but folks like us are in the minority.

Re:Oh great ... (1)

tehcyder (746570) | about a year ago | (#43739679)

Now they'll decree the press are terrorists and say it's illegal to do this since it prevents 'awful' monitoring.

How about 'quite good' or even 'excellent' monitoring?

Can you promise no government hacking? (2, Insightful)

stanlyb (1839382) | about a year ago | (#43734321)

After the recent news of AP's guys being hacked, eavesdropped, etc, and which is more important, NO REACTION from all of the other news groups (really, i thought this would be the number ONE news!!!), could you be sooo naive to believe that NewYorker would be a safe harbor for your little pretty leak?
I am not idiot, what about you?

Re:Can you promise no government hacking? (1)

Anonymous Coward | about a year ago | (#43734527)

AP is a consolidated semi-monopoly run by entrenched moneyed interests. It's already compromised. They just pedal vapid, per-massaged news bites to other "news" agencies that essentially act as resellers.

The phone record "scandal" is just a case of someone stepping on someone else's turf.

Re:Can you promise no government hacking? (1)

Pecisk (688001) | about a year ago | (#43734783)

You must be living in cave, because literary *everybody* talking about it last 2 days. Check news.google.com for example.

Re:Can you promise no government hacking? (1)

Pecisk (688001) | about a year ago | (#43734879)

AP guys weren't hacked or eavesdropped. State Department secretly required massive amount of call logs (who whom called in what time and how long) in seemingly fishing expedition. Heck, it had even legal oversight and it was properly done. Problem is, there's unwritten rule that you request such information only as last resort - and you inform subject media after the fact.

As for hacking - it really depends how good they tweak this system. If it's really separated and rebooted from live usb/cd-rom, then it's doable. They should have a specialist who check it regularly for newest exploits for such systems and upgrade system accordingly.

Right way? (0)

Anonymous Coward | about a year ago | (#43734457)

Oh yeah... how is the laptop erased? Is it a software based method using mutiple overwrites or hardware/firmware encription built into the drive itself or something else?

Re:Right way? (1)

SydShamino (547793) | about a year ago | (#43734507)

My impression from the summary (no, I didn't RTFA) is that the laptop is erased by power cycling its RAM, and the hard drive you are wondering about was erased by being removed from the machine last month and never used again.

Booting from a live CD and pulling data from a thumb drive to read it, there is no need for a hard drive whatsoever. Only RAM and processor registers ever see the data, and nothing usable is retained from them.

Now, how they secure that thumb drive, however, is a mystery solved presumably by reading the article, which I won't.

Re:Right way? (1)

niftymitch (1625721) | about a year ago | (#43734769)

My impression from the summary (no, I didn't RTFA) is that the laptop is erased by power cycling its RAM, and the hard drive you are wondering about was erased by being removed from the machine last month and never used again.

Booting from a live CD and pulling data from a thumb drive to read it, there is no need for a hard drive whatsoever. Only RAM and processor registers ever see the data, and nothing usable is retained from them.

Now, how they secure that thumb drive, however, is a mystery solved presumably by reading the article, which I won't.

A live CD makes a lot of sense for any banking. We should all have one in our laptops for financial transactions. A USB key could be used for something like password safe.

There are unique bits in laptop hardware like the MAC address that can be squashed from software prior to connecting.

One additional trick is to connect via a USB wifi dongel that can act a lot like a burner phone...

Re:Right way? (1)

dgatwood (11270) | about a year ago | (#43738353)

A live CD makes a lot of sense for any banking.

Not really. 99% of people won't be willing to reboot just to go to a bank website. And even if they were, a suitably compromised BIOS/EFI could render the additional security worthless.

Re:Right way? (1)

niftymitch (1625721) | about a year ago | (#43748555)

A live CD makes a lot of sense for any banking.

Not really. 99% of people won't be willing to reboot just to go to a bank website. And even if they were, a suitably compromised BIOS/EFI could render the additional security worthless.

At which point nothing can be considered reliable. A read only CD/DVD has one advantage in that it cannot be written on. A compromised BIOS/EFI that contains enough functionality to be a problem would be an interesting bit of code. Virtualization however opens some very big buckets of worms.

Eat your own medicine NYT (1)

Anonymous Coward | about a year ago | (#43734477)

Put your telephones inside this StrongBox and how it works for you.

No record of any visit? (2)

houghi (78078) | about a year ago | (#43734585)

I rather go with the idea that I WILL be followed and things WILL be recorded then to trust that nobody does. If being traced is a problem for you, then assume that you ARE being traced and people who say they won't are lying.
If I had anything to share and it should be anonymous, sending a thumb-drive should be a lot easier. Darn, just send all sources an SD card via snail-mail. With the prices of what they are, the most expensive part will be posting. And it can be done from almost anywhere in the world as well. (Note: Just don't fill out the return address)

Re:No record of any visit? (1)

TaoPhoenix (980487) | about a year ago | (#43734913)

I share your skepticism, and I'm waiting for someone with enough clout to bust them at their game.

Maybe it's an honest effort, but with a site specifically designed for juicy info, "selling out the source" is all the rage these days, whether it's in fact the paper or if they F*k it up and Anonymous does it for them.

Re:No record of any visit? (0)

Anonymous Coward | about a year ago | (#43737151)

assuming you're sending your leaked data to multiple destinations, enter each one's return address as one of the other destinations. it's still no more traceable back to you, plus there's now a chance that if some of them don't get through, they'll wind up going back to somewhere that can still do something with it, rather than just getting lost in a dlo somewhere

Am I the only one... (5, Insightful)

The Grim Reefer (1162755) | about a year ago | (#43734605)

Who finds it frightening as hell that the press now has to do this? It's a dark day when the press has to take measures like this because the government is ignoring the first amendment.

Re:Am I the only one... (0)

Anonymous Coward | about a year ago | (#43734709)

They're not ignoring it.

They made rules to get around it. In the name of 'security'.

Re:Am I the only one... (1)

The Grim Reefer (1162755) | about a year ago | (#43734841)

They're not ignoring it.

They made rules to get around it. In the name of 'security'.

You're right. They're not ignoring it, they're wiping their ass with it.

Re:Am I the only one... (0)

Anonymous Coward | about a year ago | (#43735141)

Not sure which part of the First Amendment you refer to? Certainly not Freedom of Religion in this topic, and probably not referring to Freedom of Speech here, so that pretty much leaves Freedom of the Press.

I suppose most of this is in reaction to the big bad Government getting subpoenas for AP phone records which were certainly overly broad in their scope. Well overly broad if their only interest was in regard to the classified information leak which AP claims only 5 reporters worked on. What if that wasn't their real objective? What if this is a fishing expedition to see if other information has been compromised? Personally I don't know and don't care as this is the type of Fundemental Hope & Change that the majority of idiots voted for...... TWICE!!! Now everybody wants to whine about it like they found out they were taking your Gubmint Cheese or something! Nothing for free my friends, nothing for free.

Personally I am tired of seeing and hearing, "According to an annonymous government source" or "According to a source who was not authorized to comment on this matter" or other such BS. Why, because when you do not know the source of a supposed story or information, you can just as easily assume that they just made this shit up for ratings or to push and agenda. If something is classified, and you think it is really so important to leak that information, then grow a set and take credit for making the information public.

There was a time in the past when those who got clearances did so and kept their mouth shut unless they saw violations of the law or such, now even our head clown and his dopey sidekicks run their fat faces just to score rockstar points on the nightly entertainment circuit. No wonder everybody knows our business.

If you want to divuldge classified information from either your company or your country, or provide intelligence to those who would use it against your company or country, and that information is not being disclosed because it shows a violation of the laws or personal rights then you should have your head put on a pike.

And as far as the "Press" they used to have integrity, in the past if they got wind of classified information that was potentially damaging to the country, they would have sat on it or turned it over. Now they only care about ratings and selling their services whatever the cost. They don't care if the information is a violation of a company's trust in an individual or of a country's trust if it sells their drivel or furthers their agendas, it is all fair game.

Re:Am I the only one... (0)

Anonymous Coward | about a year ago | (#43735695)

Personally I am tired of seeing and hearing, "According to an annonymous government source" or "According to a source who was not authorized to comment on this matter" or other such BS. Why, because when you do not know the source of a supposed story or information, you can just as easily assume that they just made this shit up for ratings or to push and agenda. If something is classified, and you think it is really so important to leak that information, then grow a set and take credit for making the information public.

...

If you want to divuldge classified information from either your company or your country, or provide intelligence to those who would use it against your company or country, and that information is not being disclosed because it shows a violation of the laws or personal rights then you should have your head put on a pike.

So let me get this straight: You think that the only time a whistleblower who discovers criminal activity that is being hidden by being "classified" should report said criminal activity is if they are willing to be thrown into prison by those conducting the criminal activity. Is that correct?

Get out of my country.

Re:Am I the only one... (1)

The Grim Reefer (1162755) | about a year ago | (#43736011)

Personally I am tired of seeing and hearing, "According to an annonymous government source" or "According to a source who was not authorized to comment on this matter" or other such BS. Why, because when you do not know the source of a supposed story or information, you can just as easily assume that they just made this shit up for ratings or to push and agenda. If something is classified, and you think it is really so important to leak that information, then grow a set and take credit for making the information public.

You kind of lose credibility by posting this as an AC.

Re:Am I the only one... (0)

Anonymous Coward | about a year ago | (#43741627)

I hear you Grim and I would agree if I were trying to peddle information and claim it as fact. I only offered an opinion in a rush and have ever registered on the site as I never really saw a need.

Now if I were claiming that I had insider knowledge that the Obama State Department was secretly negotiating to allow Syria and Iran to invade Isreal without reprisals as an AC, I wouldn't expect anyone to place any value in my statement.

My opinion was more to the point that if someone is NOT an authorized spokesman for a company or the Government and has access to sensitive information, then short of having knowledge of illegal activity they should have enough integrity to keep their mouth shut. If the situation is so bad then leave and make your reasons publicly known if you have to. But divuldging information, such as sensitive plans to damage Iran's nuclear production capability, and for the media to make that information public is IMHO wrong. If you work for a scumbag entity with questionable ethics and you play the game of Anon disclosures so you can stay there then you're still sucking the teat of ill gotten goods, despite any claims of a superior morality. Again just my opinion.

As far as the other AC who suffers from the belief that he/she determines who gets to have an opinion, disclosure of Illegal activity is not illegal, it is a legal and moral obligation.While it may end up in a hell of a fight, once it is public the case against you will be much more in your favor. Again that is just my opinion, but then again you own the country so maybe we are more F'd than I thought.

Re:Am I the only one... (1)

bill_mcgonigle (4333) | about a year ago | (#43735925)

We will implement a police state in the name of safety, only to find that it did not provide us that. By then, we won't be able to undo it peacefully.

Re:Am I the only one... (1, Insightful)

drinkypoo (153816) | about a year ago | (#43736357)

I find it encouraging, because it means that people are trying to contact them electronically, which I think is good. They always had to have operational security for getting information from their sources.

Until Congress decides otherwise (1)

WOOFYGOOFY (1334993) | about a year ago | (#43734925)

"The publication won't record any details about your visit, so even a government request to look at their records will fail to find any useful information. " Until Congress decides that all such communication must be logged by law.

They Screwed It Up (5, Informative)

Anonymous Coward | about a year ago | (#43734945)

Good intentions, but it appears that they have no idea what they're doing.

The New Yorker's Strongbox page says it won't record IP addresses or track you or set cookies - while it's setting cookies for newyorker.com, crwdcntrl.net, demdex.net, and omtrdc.net. If they want people who care about this stuff to take their commitment to anonymity seriously, they can't embed tags in their Strongbox main page that causes browsers to go do GETs on other domains' URLs because that reveals the visit to Strongbox to those third parties.

Now all the FBI has to do is subpeona Adobe's AudienceManager's web logs. Advice to journalists with good intentions: Do this right or don't do it at all.

Now, even if I knew anything, I could never submit it to Strongbox because the New Yorker has already compromised my anonymity to those third parties.

Re:They Screwed It Up (0)

Anonymous Coward | about a year ago | (#43736511)

Now all the FBI has to do is subpeona Adobe's AudienceManager's web logs.

Not a bug - that's a feature.

Did they even research the name? (0)

Anonymous Coward | about a year ago | (#43735113)

Strongbox is an anti-account sharing tool that's been around for the better part of a decade -- http://www.bettercgi.com/strongbox/ . It's well-known in the porn industry.

Ni6ga (-1)

Anonymous Coward | about a year ago | (#43735119)

bulk Of the FrreBSD

TOR (0)

Anonymous Coward | about a year ago | (#43735137)

tos is an insecure piece of shit. those in government black projects know it's highly monitored by the powers-that-be

So yeah, put all of your leaks through some insecure monitored shit - Perfect place for that kind of thing!

Re:TOR (0)

Anonymous Coward | about a year ago | (#43739313)

Tor is Anonymous, not Confidential (in and of itself).

Since the New Yorker's iOS app... (1)

RealGene (1025017) | about a year ago | (#43735615)

..can't make their login work, or remember user login credentials, we can rest assured that no one will ever be able to read what gets put in the strongbox either.

Credibility (0)

Anonymous Coward | about a year ago | (#43735953)

The OPSEC on the part of the source is only part of the issue. The possibly bigger one is credibility. If there's only a single anonymous source for the tip, one unavailable for recontact, then pretty much any attempt at getting a secondary source could be futile. And if there's no second source, most papers are loathe to run the story, no matter how "juicy." (I'm talking national-security, major criminal stuff, etc. Not is so-and-so pregnant. They'll print any of that crap.) And let's say they do get a big one, run with it with a single source and it turns out to be true. So next up the government inserts a big, bogus tip off via the secure system, seemingly from a well-placed anonymous source. They run with it and the government is able to prove that the tip was bogus, blowing the news outlet's credibility all to hell. And as soon as it happens, sources will lose faith in the publication. It's an easy enough PSYOP to plan and run.

Erased when it's powered ON!? (1)

Ungrounded Lightning (62228) | about a year ago | (#43736825)

... a laptop that isn't connected to the internet, which is erased every time it is powered on ...

I hope it's erased every time it's powered OFF, as well. (That way nobody can seize it while it's off and sniff the disk.)

Note the "as well". You still want to erase it on the way back up, just in case the power failed before the shutting-down erase is complete.

Now they can ignore leaks securely (0)

Anonymous Coward | about a year ago | (#43737183)

Given the New York Times has a recent history of ignoring leaks, this is the next logical step - ignoring leaks securely.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...