Leaking and leakers were in the news in the waning days of the Obama administration. Chelsa Manning, source of the Afghan War Diary, had her 35 year sentence commuted to seven years by President Obama. Edward Snowden, who leaked a wide variety of materials, was discussed as a candidate for a pardon, but none was forthcoming.
The House Intelligence Committee letter urged President Obama to not pardon Snowden. The only truthful statement in the letter, apart from the signatures, appears to be:
America’s intelligence professionals take Mr. Snowden’s disclosures personally.
Why “America’s intelligence professionals” pouting over disclosures of their illegal and ineffectual activities is relevant to pardoning Snowden isn’t clear. In any event, Snowden continues to reside in Russia.
What is clear is that leakers bear the risk of obtaining and leaking material of great public interest. Some of that risk is an artifact of current practices for leaking.
Present Day Leaking Practices
The Intercept has a fair description of current art of leaking:
- Begin by bringing your personal computer to a Wi-Fi network that isn’t associated with you or your employer, like one at a coffee shop. Download the Tor Browser. (Tor allows you to go online while concealing your IP address from the websites you visit.)
- You can access our SecureDrop server by going to http://y6xjgkgwj47us5ca.onion/ in the Tor Browser. This is a special kind of URL that only works in Tor. Do NOT type this URL into a non-Tor Browser. It won’t work — and it will leave a record.
- If that is too complicated, or you don’t wish to engage in back-and-forth communication with us, a perfectly good alternative is to simply send mail to P.O. Box 65679, Washington, D.C., 20035, or to The Intercept, 114 Fifth Avenue, 18th Floor, New York, New York, 10011. Drop it in a mailbox (do not send it from home, work or a post office) with no return address.
Attention Federal Employees: If You See Something, Leak Something
The Intercept never discusses the form, hard copy or digital, of a leak but WikiLeaks:Submissions, reads like a description of a sneakernet.
“Sneakernet” were a primitive and inefficient way to transfer information from one computer to another. With a user carrying a floppy disk from one computer to another, hence “sneakernet.”
Primitive and inefficient qualify as descriptors for leakers obtaining documents in hard copy and/or electronically and transferring them to the news media.
Potential leakers must endanger themselves by copying and smuggling the documents to be leaked, plus do a technical dance to leak them. In a modern networked environment.
In a networked environment is the key.
Leaking in a Networked Environment
No leaking advice is universal and what I am about to describe won’t work, at least not well, for air gapped systems. Leaking by sneakernet remains relevant for some situations.
In a networked environment, consider a potential leaker leaking login credentials? Not necessarily theirs, perhaps the sysadmin credentials written next to the console. Or their office manager’s.
That sort of leaking only requires:
- Blank paper with envelope
- Addressed to a news media address – no return address
- Credentials written on the paper with remote login URL
- News media destroys notes after they arrive
The usual cautions, not from your place of business, etc. apply.
Prospective leakers enjoy these advantages from leaking login credentials:
- Easy to leak
- No copying, physical or digital to attract attention
- No smuggling of documents or media past security
- No traceability in sea of breaches large and small
The reduction of the technical requirements for leaking, not to mention reducing the risk to the leakers themselves, lowers the bar for leakers and should attract more leaking.
The news media obtains advantages from credential leaking as well:
- Enables creation of a library of sources
- Enables exploration for other documents
- Reduces arbitrary or incomplete nature of leaks
- Reduces the opacity reflex, media likely knows the truth already
Credential leaking does alter the risk of leaking from being leaker centric to putting a greater burden on the news media.
Allocation of Risk
The sharing of login credentials maybe a crime under 18 USC 1030 (Computer Fraud & Abuse Act (CFAA)). I say “maybe” a crime because panels of Ninth Circuit Federal Court of Appeals “appear” to have different ideas on password sharing. Ninth Circuit Panel Backs Away From Dangerous Password Sharing Decision—But Creates Even More Confusion About the CFAA
Whether faulty reasoning spreads from the Ninth Circuit or not, it remains clear that avoiding copying, smuggling, etc., as with credential leaking, poses a reduced risk to leakers.
On the other hand, under the provisions of 18 USC 1030 (Computer Fraud & Abuse Act (CFAA)), the risk to any reporter or news media organization that makes use of leaked credentials, the risk is elevated.
Elevated to federal felony level risk.
That may seem like a poor trade for the news media, but consider that the New York Times has stables of internal counsel, not to mention external counsel and financial resources that aren’t available to the average leaker.
Moreover, the New York Times has access to highly competent computer experts who can “leak” data to its reporters via secure means, enabling reporters to truthfully testify as to the origin of leaked materials used in their stories.
Unlike current leaking practices, where the leaker takes all the risks, considerable risks, credential leaking allocates the leak and risk to those best able to accomplish it with a margin of safety.
Along with that reallocation of risk, comes the potential to greatly democratize the practice of leaking.
How effective are postings like Attention Federal Employees: If You See Something, Leak Something?
The Bureau of Labor Statistics estimates the number of potential leakers by employment category as of December 2016 (my characterization, not theirs):
- Accounting 1,015,800
- Financial Activities 8,359,000
- Government 22,565,000
- Legal Services 1,131,900
- Oil and Gas 173,300
- Real Estate 2,147,400
(Table B-1. Employees on nonfarm payrolls by industry sector and selected industry detail)
Not a complete listing of the categories. I selected those where scandals and/or scandalous materials are most often found.
By my count, 35,392,400 potential leakers.
Compare The Intercept‘s long treatment with on the masthead of Times-with-a-Spine (fictitous newspaper):
Leakers (see A-2)
On page A-2:
If you are going to leak:
- Write login credentials (not your own), login URL, on paper
- Mail to (news address) – no return address
- We destroy all leaked credentials upon receipt
Push an ad with the same content into daily shoppers, free/community newspapers, websites, etc. Perhaps even Amazon ads keyed to people with .gov and .mil email addresses.
How news organizations will use leaked credentials I cannot say. In order to protect leakers, however, any credential leaks should be destroyed upon determination they are credential leaks. (Complete burning with paper of similar origins into a fine ash, sifting and secure burial for starters.)