IMPORTANT: If you are reading this at work, stop now. You MUST NOT leak to the press institution which is hosting this page: even the most rudimentary network logging at your workplace will reveal that you are reading about how to leak to this institution.
^^ and also don't read / access / printout and store the story(ies) that are written using the material that was leaked by _you_. This is something that was used to catch Mr Kim in the James Rosen spy ring. He had print outs of the stories that used him, and/or his classified material, stored on his desk in plain sight.
Trevor TSecureDrop aims to make it easier for sources and whistleblowers to get sensitive documents to journalists in a more secure manner than email. However, 100% security is impossible in any situation, and because we are attempting to lower the bar of entry for sources, there are trade-offs that every source should know before leaking.
This guide is an attempt to explain the security risks you may run into when leaking documents through SecureDrop and how you can properly protect yourself. We also offer suggestions on how you can give yourself even more protection if you are more technically sophisticated.
TL;DR: Grab your personal computer, Tails USB, and documents—but leave your phone at home. Use cash and take a bus to a coffee shop you have never been to. Avoid shoulder surfers and CCTV. Using the Tor Browser, or preferably the Tails operating system, access your preferred news organization's SecureDrop onion URL from the coffee shop's open-wifi. Always be aware of all the info you are submitting, obvious or not. Only keep info for as long as you need it. Use a location once, then consider it burned. Protect your codename. Don't tell anyone about what you are doing or have done, and never answer questions from investigators without a lawyer present.
Your network connection and computer
First, you must be careful to *never*contact a SecureDrop site at work. Most corporate and government networks log traffic at at least some level, ranging from "netflow" (a record of what computers are contacted) to full intrusion detection logs which record every URL visited on the network. A network administrator at work may easily be able to determinewho has been using Tor on your work network. Any attempt to use SecureDrop within a monitored network is as good as saying "Hey, I'm up to no good", especially if a subsequent investigation.
Tor, while it can protect your anonymity in many cases, should not be seenas not magic OPSEC sauce, and can easily be the opposite: it can make your traffic stand out.
This means that if you wish to submit documents that exist in this environment, you must remove them and submit them to SecureDrop usingyour personal computer, or even better, a new computer.
Trevor TAny shared computer, for example a public library or internet cafe computer, also increases your risk of surveillance as well, although in a different manner. These computers may have network monitoring, and may also have access logs. However, your personal device for daily use may be infected with malware that also has this capability as well. To mitigate this risk, you should boot yourcomputer from a Live Operating System like Tails. This requires a sophisticated user, as the initial installation of Tails is fairly complex. However, Tails offers detailed instructions on how to download and use Tails here.
Nick WBy now it should be clear that you can not safely use Tor from work or even from home, as even the lightest monitoring can often identify Tor users. Thus if you wish to leak documents to a SecureDrop, you should go to a third location with public wifi, like a coffee shop. Ideally, you would not go to a coffee shop you've ever been to before or plan on returning to. Avoid bringing and using items that can be used to track your location like your cell phone. Buy your coffee in cash; do not use a credit card. Oh, and wear a hat.
James DWhile accessing and using SecureDrop attempt to sit with your back to the wall and use a privacy screen to avoid shoulder surfers and video cameras.
Don't re-use the same location to access SecureDrop.
If used properly, SecureDrop does not log any identifying information and you can stay anonymous, even from the journalists you are communicating with. However, the document you upload, may contain “metadata” that can contain identifying information such as the author, editor, operating system used, location, and timestamps embedded within them. For extremely sensitive documents, corporations or governments may have placed watermarks or other unique identifiers on them to help them identify the source if they are leaked.
This information could be valuable to a journalist because it allows them to better authenticate the document; in other words, to prove it’s real. However, it could also put your identity at risk of being exposed.
The journalists are instructed to scrub this metadata on their end before ever publishing such document. But if thesource is concerned, they can use the Metadata Anonymization Toolkit (MAT) to do this before submitting. Unfortunately, MAT only runs in Debian or Tails, so you will have to go through some extra steps to use it.
Tor Browser, the privacy-conscious web browser that masks the IP address of your computer, is an integral part of SecureDrop and one of the keys to keeping your identity a secret.
Trevor TIt is possible to access SecureDrop .onion URLs by using what is known as Tor2Web. To do so, you can change the ‘.onion’ in the URL to ‘.tor2web’ and access the site without using the Tor Browser. However, we highly recommend you do NOT. Tor2Web can be leveraged by adversaries to compromise your identity.
If you try to access the SecureDrop site from Tor2Web you will receive a warning telling you to open Tor first.
Kevin GIn the Tor Browser Bundle, you can select the Noscript "S" (between the green onion and the address bar), and select "Forbid scripts globally". Make sure to reload the page before continuing.
A 7-10 random word codename that is only sporadically used will be almost impossible for the average person to remember. You will have to record it somewhere until you either remember it or no longer need it. When recording the codename try not to store the whole codename together. Break the codename into a few parts and store the parts in different locations.
Do not share your codename with anyone. The Journalist never needs to know your codename and they are instructed to never under any circumstances ask for it.
Trevor TAs soon as you are confident you have it memorized, destroy the pieces of paper you wrote it down on.
Right now, the Tor network encrypts your document in transit, and then the document is encrypted with a GPG private key for storage on the SecureDrop server (the private key is stored offline). However, the message is momentarily in plaintext when it hits the server, and you are trusting that the web application and environment has not been compromised. We have our web application and environment continually audited to make sure it is as safe as possible. But to be 100% sure the plain text of your message or document never touches the server, you can encrypt your message or document before sending.
To do this, you can download the journalist’s public key from the SecureDrop main page. Then follow these instructions [link].
Kevin GDelete GPG public keys after using them (gpg --delete-key && rm -rf *.asc). Zero-fill the partition you used to encrypt the documents after they are sent.
Copy the entire block of encrypted text into the comment box on the SecureDrop main page. When you hit submit your message will already be encrypted once, and will be encrypted again once it hits the server. Your message will never be seen in plain text by the server.
Mailing Your Documents Instead of Using SecureDrop
Nick WMany people believe in using the postal service to get documents to journalists because of unambiguous warrant protections involving physical mail. Although it takes a warrant to open mail, and opening mail is a proactive, rather than retrospective technique, the US government records the outside of every letter and package sent . This can be used to identify the mailbox for any letter of note, and potentially provide the government with knowledge of the outside of every letter sent to a target recipient long after the fact.
Trevor T* Make sure there is no valid return address on your package
Should we recommend that they should put a valid fake return address (from the drop off area). not having a return address increases the suspicion of the package. And the postal office would have a record of where it was shipped from anyway.
SecureDrop 1.0 will be a complete re-architecture, designed to achieve two primary goals:
Each SecureDrop server should offer a simple API for clients to use in submitting information and conversing with journalists. Multiple client designs should be allowed, to satisfy a variety of source threat models and operational environments.
All encryption between sources and journalists should be end-to-end, accompanied with a variety of countermeasures to prevent or at least detect malicious tampering with the SecureDrop server.
Additionally, we should consider a design where both the server and client can cooperate to implement mitigations for traffic analysis.
A local observer (in the context of an anonymity network, any eavesdropper between the client and the first hop router) should only be able to determine that the user is using the anonymity network, but not that they are using SecureDrop.
A first step could be to randomly pad requests and responses to obfuscate the traffic fingerprint. Unfortunately, it is difficult to achieve certainty in effectiveness.
"Bucketing" requests and responses, in the manner of Pond, is unfortunately insufficient: the traffic pattern is still identifiable (which is acknowledged by Pond's design document).
We could use a more sophisticated scheme, such as Wright et. al's traffic morphing. Unfortunately, this is difficult to implement and has also been called into question. In general, the jury is still out on any "efficient" traffic analysis scheme.
Ideally, we would also implement mitigations for global adversary traffic analysis. We obviously cannot stop them from learning that a given user is using SecureDrop due to correlation, but we might be able to prevent them from associating a SecureDrop user with a specific submission or set of submissions.
In general, resisting traffic analysis may be better served by removing the assumption of a low latency anonymity network (e.g. Tor). We could consider something high latency (e.g. Mixminion). Unfortunately, there is no existing network with a large anonymity set (comparable to Tor's) and bootstrapping one is decidedly non-trivial.
Given the difficulty in implementing and ascertaining confidence in comprehensive traffic analysis mitigation, it may be better to treat it as a goal for a future (1.x) release, and implement simple mitigations for 1.0 (e.g. random padding, maybe bucketing).
TL;DR: Grab your personal computer, Tails USB, and documents—but leave your phone at home. Use cash and take a bus to a coffee shop you have never been to. Avoid shoulder surfers and CCTV. Using the Tor Browser, or preferably Tails, access your preferred news organization's SecureDrop onion URL from their open-wifi. Always be aware of all the info you are submitting, obvious or not. Only keep info for as long as you need it. Use a location once then consider it burned. Protect your codename. Don't tell anyone about what you are doing or have done, and never answer questions from investigators without a lawyer present.
To transfer the encrypted files you receive from the source to the secure viewing station, and then back to your workstation for publication, you will need to use at least two USB sticks.
Ideally, the journalist would not use USBs at all, but transfer each batch of documents using a different CD/DVD every time. As explained above, CD or DVD that are *not* re-writable are preferable to USB sticks. A journalist would copy the encrypted files from SecureDrop to a CD or DVD, copy them onto the Secure Viewing Station and then destroy the CD/DVD after first use. This requires a lot of CD/DVDs, however, and if a file is bigger than 4.7 gigabytes (the standard for DVDs), you may be forced to use a USB anyways. But again: using CD/DVDs is the safest way to prevent your Secure Viewing Station or your personal workstation from being infected by an attacker’s malware.
After decrypting the documents sent to you by the source, and before taking them to your normal workstation for publication, you should scrub any remaining metadata off the documents. This metadata, while potentially valuable in your authentication process, could put your source at risk if it were published.
Though some will only be entered once or rarely, the journalist will need to have at least four different passwords to operate SecureDrop properly. Creating a secure password in an age when computers can input billions of guesses per second is difficult. You can follow these instructions on creating a secure password, or you can use a password manager to create a random secure password for you.
A password manager also has the added benefit of keeping all your passwords in a safe place so you do not have to memorize them all.
While the Secure Viewing Station can be an old PC laptop, it is critical for security reasons that the hard drive is removed, the network cards removed or physically disabled, and the speaker and microphone lines are cut. This computer is never to touch the Internet or another hard drive and it’s important to do all these steps so it is never compromised.
James DThe SVS should be located to avoid any CCTV and shoulder surfers.
(James fill in)
Updating Tails DVD
Download and burn the updated version of Tails.
Updating Tails USB
Usee the built in gui to download and upgrade.
In the US, SecureDrop servers be located physically inside the physical newsroom of the media organization – not in a data center hosted off-site and not by a third party.
If a foreign news organization has the opportunity to host servers in the organization’s US office, it should do so. This may seem counter-intuitive basedon the fact that third party providers in the US have been accused of handing over foreign data to the NSA, but US newsrooms offer you by far the most protection.
Remember: the big advantage to SecureDrop is that you are not relying on any third party providers to help you communicate. That means if there is a legal order to hand over data on a certain communication, it must be served directly to the media organization, rather than a third party like Google. This gives the media organization a chance to fight such an order in court, a fight that every media organization will likely back, and therefore will likely dissuade certain agencies from requesting the data to begin with. Further, authorities will come to learn that parties using SecureDrop will actually have scant data to hand over and such requests will become legally burdensome, as they would also have to compel the production of pass-phrases, etc.
The Privacy Protection Act also provides enhanced protection to news organizations than normal houses. It severely restricts law enforcement’s ability to obtain journalistic work product and source materials.
Preferably, they have a trusted location to host the servers. (The idea is that the servers should be hosted in a location that is owned or occupied by the organization to ensure that their legal rights can not be bypassed with gag orders).
If at all possible, SecureDrop should connect to the Internet through a separate Internet circuit than the rest of your news organization’s corporate network. If that is not feasible, you should segment a portion of your network (subnet) to be used solely for SecureDrop.
The SecureDrop servers should be monitored by video camera with the ability to keep a few days worth of recordings. As stated above, SecureDrop is most vulnerable to an attack when the attacker has physical access to the servers, so their physical security is just as paramount as the digital security surrounding the application.
Someone at the news organization will have to monitor the OSSEC and other email alerts that are sent a few times a day. These alerts are critical in making sure the servers have not been attacked or the system is not under a denial of service attack that could knock it offline for an extended period.
Once it is established who will receive the alerts, the news organization should map out their response plan will be. For example, what do you do when there are technical outages? What happens with a denial of service attack is ongoing? What if the environment is compromised? These should cover all plausible scenarios including the potential forcompromise from intelligence agencies.