Aaron Swartz's Last Project: Open Source System To Securely & Anonymously Submit Documents To The Press
from the add-it-to-the-long-list dept
The New Yorker has announced a new anonymous document sharing system called Strongbox, that will allow people to anonymously and securely submit documents to reporters from the New Yorker. Other publications have tried to set up something like this — often inspired by Wikileaks — but for the most part, they’ve been full of security holes, sometimes big and serious ones. What may be more interesting than the fact that this system is being set up is the story behind it. It’s based on DeadDrop, an open source system that was put together by Aaron Swartz and Kevin Poulsen.
Poulsen has the backstory of DeadDrop here, which is well worth reading. Basically, he and Aaron worked on this project on and off for quite some time, and it was only just completed a few weeks before Aaron’s death. The full story is worth reading, though here’s a snippet:
I wondered about this young tech-startup founder who put his energy into the debate over corporate-friendly copyright term extensions. That, and his co-creation of an anonymity project called Tor2Web, is what I had in mind when I approached him with the secure-submission notion. He agreed to do it with the understanding that the code would be open-source—licensed to allow anyone to use it freely—when we launched the system.
He started coding immediately, while I set out to get the necessary servers and bandwidth at Conde Nast. The security model required that the system be under the company’s physical control, but with its own, segregated infrastructure. Requisitioning was involved. Executives had questions. Lawyers had more questions.
Poulsen also notes that there were questions raised about the code after Aaron’s death, but those were eventually sorted out:
By December, 2012, Aaron’s code was stable, and a squishy launch date had been set. Then, on January 11th, he killed himself. In the immediate aftermath, it was hard to think of anything but the loss and pain of his death. A launch, like so many things, was secondary. His suicide also raised new questions: Who owned the code now? (Answer: he willed all his intellectual property to Sean Palmer, who gives the project his blessing.) Would his closest friends and his family approve of the launch proceeding? (His friend and executor, Alec Resnick, reports that they do.) The New Yorker, which has a long history of strong investigative work, emerged as the right first home for the system.
Of course, Poulsen leaves out his own history here as well. As (perhaps?) many of you know, Poulsen was a somewhat infamous hacker back in the day who eventually (after avoiding law enforcement for quite some time) went to prison for some of his hacks. Since then, he’s become one of my favorite journalists, writing for SecurityFocus and then Wired (and writing a wonderful book, Kingpin about some more recent hackers). While Poulsen and Swartz met long before Swartz was indicted — and Swartz and Poulsen were indicted for very different types of activities — having the two of them work together on a project like this is really quite fascinating.
The unfortunate part of all of this, of course, is that DeadDrop is basically Aaron’s “final project.” Given how much he accomplished prior to that in his short life, it’s just one more thing to add to a very long list of incredible accomplishments, but yet another reminder of how much potential was wiped away by his suicide.
Filed Under: aaron swartz, anonymity, deaddrop, journalism, kevin poulsen, open source, strongbox, the new yorker
Companies: conde nast
Comments on “Aaron Swartz's Last Project: Open Source System To Securely & Anonymously Submit Documents To The Press”
Why not let it take pictures of the uploaded documents to erase anything that may be hidden by someone who does not want their shit leaked?
Re: Re:
Because that opens up an attack vector (through JPEG exploits etc).
Re: Re:
That’s why the documents are only viewed on an offline machine that has no network access, and is booted from a readonly LiveCD… and then erased completely every time it’s booted thereafter.
In other words, there should be nothing the originator of the docs can do to alert them that the docs are “out there”.
Re: Re: Re:
Besides, pictures can’t really do justice to something like a database, or otherwise large amount of data that requires “mining” to reveal its secrets.
[OT] Reminder: House Judiciary on Copyright Reform
[Off-Topic] Reminder: The House Judiciary’s Subcommittee on Courts, Intellectual Property and the Internet will be holding a hearing today on copyright reform.
A Case Study for Consensus Building: The Copyright Principles Project
Thursday 5/16/2013 – 2:00 p.m.
2141 Rayburn House Office Building
Last week’s Techdirt article.
All the security in the world can't help
Will be subverted by keylogging via phishing stupid reporters.
Re: All the security in the world can't help
Not with the laptop being used to access the system being wiped every time it boots. What is more likely is that the central servers will be attacked in an attempt to disable the system if they can’t subvert it.
Re: All the security in the world can't help
Or government subpoenas, but who counts…
Kids, this REQUIRES trustable "man-in-the-middle"!
So it’s MUCH MORE risky than uploading from an internet cafe to several file hosts, the files plainly named, and just relying on the info being recognized by someone.
Why does this require Tor, Conde Nast, and The New Yorker, all three of which are suspect, besides the usual other network weak points? This looks designed to funnel leaks straight into “old media”, where are definitely stenographers on gov’t payroll calling themselves “journalists”.
Then there’s this tacit admission: “he willed all his intellectual property” — SO intellectual property IS a legitimate concept! Guess it only counts when you wish.
Re: Kids, this REQUIRES trustable "man-in-the-middle"!
Are you really as stupid as you seem or are you just too lazy to actually read what your commenting on?
“Kids, this REQUIRES trustable “man-in-the-middle”!”
How do you figure this? This system has you first get on Tor, hiding your identity, you then upload files that are encrypted to a server(you know, as in the people who own server cant see what it is because umm ITS ENCRYPTED) Then the people at The New Yorker check the box and download the still encrypted data, they then move it to a special computer that is not even online, there they can finally decrypt it.
So, where is this “man in the middle” going to grab the data?
Also… Stenographers? really?
“Definition of STENOGRAPHER
1: a writer of shorthand
2: a person employed chiefly to take and transcribe dictation “
Oh No!!! The government has people who can write SHORTHAND!!!!
Re: Re: Kids, this REQUIRES trustable "man-in-the-middle"!
When you link a definition, read all the definitions. Just saying.
Re: Kids, this REQUIRES trustable "man-in-the-middle"!
“Man in the middle”? For fuck’s sake, every single “anti-corporate” rant you post claims to be against the practice of grifting, i.e. being a man in the middle handling administrative bullshit.
Re: Kids, this REQUIRES trustable "man-in-the-middle"!
Then there’s this tacit admission: “he willed all his intellectual property” — SO intellectual property IS a legitimate concept! Guess it only counts when you wish.
Uh, you do realize that indented paragraphs in italics are quotes from the source article, right? Mike is not admitting to anything, tacitly or otherwise, simply by quoting Kevin Poulsen in a report on things Kevin Poulsen said.
Re: Kids, this REQUIRES trustable "man-in-the-middle"!
Intellectual property is a legitimate concept, but as it exists in its’ current form — last I read, 75+ creator’s lifespan, which is ludicrous — it is pretty bull.
That being said, I suspect you assume people [sorry, “pirates.”] think that it isn’t, and only choose to copy it [whoops, there I go again. “Steal.” is probably the only word you’ll recognize].
Besides that, using someone’s death to further an agenda of further copyright restrictions is just stupid and nonsensical. This can only mean good things, especially since it’s the New Yorker — one of the few ‘old media’ as you call them, that people trust [though I’ve personally never heard of them, so I cannot comment on whether or not I trust them.]
Tor is not ‘suspect.’ Tor is used to legitimately, along with V.P.N. hide your net address and provides actual internet anonymity, something that is REQUIRED nowadays since the Wikileaks situation, to leak information and documents to get them out to the public.
Regardless if it’s used to go into the Deep Web for CP, the black market, etc. it also has legitimate uses. Stop pretending everything you do not like has no legitimate uses in today’s world, and that the current networks we have are secure — they aren’t. I don’t know why you assume Conde Nast is suspect; I suspect that’s more from ignorance than actual awareness or knowledge of it, and just deciding to spout off ‘this is terribibible! oh my gooooooood!!!!’ rather than actually thinking this through.
Re: Re: Kids, this REQUIRES trustable "man-in-the-middle"!
No, it’s not. Substitute “imaginary” for “intellectual”, and it becomes clear. How do you transfer a thought held in one person’s imagination to another person? You can describe it in words, or perform it in their presence, but there’s no guarantee they’ll then have the same thought that you’re imagining. In fact, they’ll immediately translate or transform it based on their personal point of view. It can’t possibly be a one to one transferrance.
Throw the concept out. It’s meaningless.
So … his last project was basically WikiLeaks? Gee, wonder how well that would have gone over with the government.
an elaborate system
to get docs to our mainstream media… Why? They wont do a thing with it.
Far easier ways...
Technology is not the primary solution, good operational security (OPSEC) is.
E.g. http://www.wired.com/opinion/2013/05/listen-up-future-deep-throats-this-is-how-to-leak-to-the-press-today/
is my discussion of the problem.
Re: Far easier ways...
Your advice seems to ignore the relative ubiquity of surveillance cameras. Or did I miss something?
” it’s just one more thing to add to a very long list of incredible accomplishments,”
very long list ???
I could possibly 3, stole some documents (and got caught), wrote some code, killed himself..
Re: Re:
As opposed to crawling out from under a rock and posting on Techdirt? Your post shows how little you actually understand the legal reality of what happened…
BTW, the most important thing he did (which you missed — perhaps because of a blind spot?) was probably this: he made a lot of friends (not necessarily close personal ones) and gained a lot of respect.
Re: Re:
I see you enjoy displaying your ignorance:
Do you have a wikipedia page, or are your many accomplishments listed anywhere online?
Deadrop
does anyone else get the irony of the name of this project ?
And clearly Aaron believe copyright and IP is something real and physical, why else put it in his will?
Re: Deadrop
Re: Deadrop
Even if your characterization of his point of view is correct, why does it matter?
Re: Deadrop
Hee hee! darryl told a funny! Aren’t you a special little gremlin.