BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Opening The Lid On StrongBox, The Anonymous Leak System Coded By Aaron Swartz

This article is more than 10 years old.

Since WikiLeaks' submission system went offline in late 2010, journalists and hacktivists have struggled to replicate its dropbox for anonymous leaks. Meanwhile, the Obama administration has prosecuted more leakers under the Espionage Act than all other presidencies combined and the Justice Department has spied on the Associated Press to out its sources, as the media gropes for tools to counteract that surveillance.

For the past two years, the media group Conde Nast has been quietly taking on that problem with the help of a notable programmer: the late free information activist Aaron Swartz. On Wednesday the company's New Yorker magazine released Strongbox, a surveillance-resistant, anonymous, open-source WikiLeaks-style online dropbox for tips and leaks that Swartz only finished coding a month before his death.

Other media organizations including Al Jazeera and the Wall Street Journal have tried launching their own leak portals in the past, but faced criticism for security snafus and legal loopholes that threatened to leave sources vulnerable. Swartz, on the other hand, wrote a version of the RSS protocol and portions of an anonymity tool called Tor2Web, projects that contributed to his reputation as a brilliant coder. So I thought it might be worth giving Strongbox, and the free, open-source architecture known as DeadDrop on which it's based, a closer look.

I took a look at DeadDrop's readme on Github and spoke with Kevin Poulsen, the investigative editor at the New Yorker's fellow Conde Nast publication Wired, as well as computer security expert James Dolan, who consulted on the project. Here are a few of Strongbox's features I learned about:

  • When a source visits Strongbox--and it can only be visited by running the anonymity software Tor and navigating to the URL http://tnysbtbxsf356hiy.onion--the user is given a code name. These seem to be long, obscure combinations of four words, like "crestons antennules unsterile tenaculum" or "copiously unworried diaglyph ordonnance," which the user is asked to memorize or keep in a secure place. Those words function as the user's login, and are meant to be both more complex than the average password and easier to remember than super-complex passwords. (Poulsen refers to them as "XKCD-style passwords," as explained in this comic strip.)
  • By giving the user a secure account, Strongbox allows him or her to check back for responses from the journalists who receive the material. Since everything occurs on the Tor network, the source and reporter can continue to correspond without the source ever being identified. "It improves on what WikiLeaks did by offering this two-way communication," says Poulsen. "It allows an ongoing journalist-source relationship."
  • When submitted data is received by Strongbox, it's encrypted and kept separate from the rest of the New Yorker's network on a machine running an especially secure version of Linux called grsecurity. Only two journalists at the media organization are designated as recipients of the material, not the whole newsroom.
  • Those two journalists can only download the encrypted file through a virtual private network, or VPN. The VPN requires the reporters to use Google's two-factor authentication protocol, which asks the user to enter a one-time code in addition to his or her password. That code is sent to the user's phone, in order to make it harder to compromise the reporter's account without also getting physical access to his or her handset.
  • When the recipient journalists want to decrypt the file, they move it via USB thumb drive to another machine that's always kept disconnected from any network. "There are always security risks, so by having a machine that's never connected to a network, that greatly decreases the avenues to compromise," says Dolan. That machine is used to run forensic software that scrubs the file for any metadata that might reveal the source, and to review the material for publication.
  • A fake source could send malicious files as a submission, intending to corrupt that disconnected computer. So that machine has no hard drive. Instead, it's booted from a CD and wiped clean after every use. The cryptographic keys used to decrypt the material are kept on another separate USB drive. "If there's no hard drive, it's pretty hard to have a persistent attack," says Dolan.
  • Perhaps the biggest security advantage the New Yorker's leak portal has over others like Al Jazeera's, the Wall Street Journal's, or even WikiLeaks', argues Poulsen, is that it doesn't offer leakers any option but Tor's anonymity network to send sensitive information. That might prevent some unmotivated leakers from using Strongbox, but it avoids the risk they'll send secrets over a less anonymous method of communication and compromise themselves. "I'm pretty excited about the fact that we've got the New Yorker on Tor," says Poulsen. "They've joined the dark net."

For more detail on the architecture of Strongbox and DeadDrop, check out the project's Github page here.

Follow me on Twitter, and check out my new book, This Machine Kills Secrets: How WikiLeakers, Cypherpunks and Hacktivists Aim To Free The World’s Information.