Phishing As A Public Service – Leak Access, Not Data

The Intercept tweeted today:

intercept-460

Kudos to The Intercept for reaching out to (US) federal employees to encourage safe leaking.

On the other hand, have you thought about the allocation of risks for leaking?

Take Edward Snowden for example. If caught, Snowden is going to jail, NOT Glenn Greenwald or other reporters who used the Snowden leak.

The Intercept has a valid point when it says:


Without leaks, journalists would have never connected the Watergate scandal to President Nixon, or discovered that the Reagan White House illegally sold weapons to Iran. In the past 15 years alone, inside sources played a vital role in uncovering secret prisons, abuses at Abu Ghraib, atrocities in Afghanistan and Iraq, and mass surveillance by the NSA.

At least historically speaking. Back in the days when hard copy was the norm.

Hard copy isn’t the norm now and leaking guidelines need to catch up to the present day.

Someone could have leaked a portion of the Office of Personnel Management records but in a modern age, digital was far more powerful. (That was a straight hack but it illustrates the difference between sweaty smuggling of hard copy versus giving others the key to a vault.)

If instead of leaking documents/data, imagine following these instructions:

The best option is to use our SecureDrop server, which has the advantage of allowing us to send messages back to you, while allowing you to remain totally anonymous — even to us, if that is what you prefer.

  • Begin by bringing your personal computer to a Wi-Fi network that isn’t associated with you or your employer, like one at a coffee shop. Download the Tor Browser. (Tor allows you to go online while concealing your IP address from the websites you visit.)
  • You can access our SecureDrop server by going to http://y6xjgkgwj47us5ca.onion/ in the Tor Browser. This is a special kind of URL that only works in Tor. Do NOT type this URL into a non-Tor Browser. It won’t work — and it will leave a record.
  • If that is too complicated, or you don’t wish to engage in back-and-forth communication with us, a perfectly good alternative is to simply send mail to P.O. Box 65679, Washington, D.C., 20035, or to The Intercept, 114 Fifth Avenue, 18th Floor, New York, New York, 10011. Drop it in a mailbox (do not send it from home, work or a post office) with no return address.

And you send the following:

  1. Your email address
  2. Screen shots of legitimate emails you get on a regular basis
  3. What passwords are the most important

That’s it.

The receiver constructs a phishing email and sends it to your address.

Like John Podesta and numerous other public figures, you are taken in by this scam.

Evil doers use your present password for access and you have system recorded evidence that you were duped.

How does that allocation of risk look to you, as a potential leaker?

PS: Some, but not all, journalists will be quick to point out what I suggest is, drum roll, illegal. OK, and the question?

Those journalists are being very brave on behalf of leakers, knowing they will never share the fate of a leaker.

I make an exception for all the very brave journalists writing outside of the United States and a few other areas at great personal risk. But then they are unlikely to be concerned with the niceties of the law when dealing with a rogue government.

Update: Apologies but I forgot to include a link to the original post: Attention Federal Employees: If You See Something, Leak Something.

Comments are closed.