Zeit Online briefkasten
The German newspaper Die Zeit has launched a secure / anonymous dropbox system for sending information or files to their Zeit Online investigative journalism team.
They (or their technical team) have published the Python source code of the application on github, which could be adapted for use by other organisations.
via Google Translate:
What this site is not:
We are not WikiLeaks leaks or other platform. This means there is no guarantee that information you give us here will be published. We publish in doubt, nor any information or documents that we receive, either to protect or to the donor, or because we find that not all details are made public.
We edit the content of journalism. It is quite possible that your donation data is the beginning of a lengthy research and is ultimately just a puzzle piece in the mosaic then released.
N.B. this application does not actually provide much resistance to Communications Data Traffic Analysis, so they do recommend the use of Tor etc.
- mobile phone / SMS text message:
Social Media / Networks
Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.
Yes c.f. individual journalist's profiles
Yes c.f. individual journalist's profiles
Yes c.f. individual journalist's profiles
Financial Donation methods
Currently accepting submissions of whistleblower leaks ?
Explicit promises about Anonymity, Privacy or Security
Restrictive legal Terms & Conditions
No, but Zeit Online is part of a big mainstream media group in Germany, so media & libel law etc. apply
Practical Advice on preserving Whistleblower Anonymity
via Google Translate
For your own safety, you should consider some points:
- Do not send information directly from your company computer and take it from this on to any contact from us. Should also get your personal computer at home do not use, because by its IP address you can be identified in doubt. Even if we save the mailbox no server logs, you can still reduce the risk further, that the donation data can be attributed to you. Take advantage of better equipment that you are not related, for example, in an Internet cafe or library.
- Pull data from an internal network, not on your own computer. Take advantage of external storage such as DVDs or USB sticks. If these are too obvious, for example, use an MP3 player. These devices can store any document type to see, but harmless than a blank DVD. In some systems, the storage of certain information is logged. It may therefore be useful to share data on paper or just photographing the screen.
- The circle of those who have access to internal information should not be too small to be a possible suspect, to guide you. He limited himself to a few people, you'd better take a distance of data before you make a donation or that the circle is larger. - If you want to call us, you buy an anonymous prepaid card and a used cell phone. Do not use your own device.
- If you want to email us, you never use one on your registered email address or an address with which you communicate otherwise. Use anonymous disposable addresses or get yourself an account under a false name with a free mail provider. Use this e-mail addresses of company computers or not your computer at home and use it also for other purposes than those intended. Use encryption techniques like PGP. The corresponding programs are free on the Internet.
- You can try your local IP address and therefore their identity in the network with services like TOR disguise. But anonymous email addresses and Internet cafes offer more security in doubt.
- Be patient and plan your donation information. About hasty or rash action could endanger you.
Leak Submission Encryption
Digital Certificate fingerprints published on their website:
However, the briefkasten open source application creates a web page which does advise you to check the SHA-1 and / or MD5 fingerprints of the SSl / TLS Digital Certificate of the website.
via Google Translate:
The integrity of the connection, you can use a so-called "fingerprints" check. Your browser can be found in the address bar a lock icon, hide behind the certificate information for this page. The "fingerprint", a long combination of numbers and letters that you find under the name "SHA1". Compare the displayed online "fingerprint" with the published in the print TIME combination. Both must agree. Only then is it guaranteed that the data upload takes place over a man of integrity, secure connection.
Since they seem to have forgotten to actually publish these fingerprints, here they are:
Serial No: 7573 46AC 9F5C FCB3 8E2A 1F30 47C5 0526
Valid until: 15-Dec-2012 23:59:59 GMT
Qualsys SSLLabs SSL Server Test rating:
Overall rating: **A **
Protocol Support: 85
Key Exchange 80
Cipher Strength: 90
Not vulnerable to BEAST man in the middle attack e.g. at public WiFi hotspots
PGP Public Encryption Key
No specific Zeit Online briefkasten PGP key, even though the application claims to use PGP / GPG encrypted emails.
Very unusually for a mainstream media publication, the entire team of investigative journalists and editors appear to have published PGP Key Server links to their PGP Encryption / Signing keys
Wolfgang Blau Chefredakteur von ZEIT ONLINE http://community.zeit.de/user/wolfgang-blau http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE79EE24BA9E991D3 email@example.com
Domenika Ahlrichs Stellvertretende Chefredakteurin, ZEIT ONLINE http://community.zeit.de/user/domenika-ahlrichs http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6D92E32D20D8B4EC firstname.lastname@example.org
Karsten Polke-Majewski Stellvertretender Chefredakteur, ZEIT ONLINE http://community.zeit.de/user/polkemajewski N.B. no PGP key link on his profile page, but there is this PGP Key on the Keyservers http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x18F9EAB53894CC62 email@example.com
Kai Biermann Redakteur im Ressort Digital, ZEIT ONLINE http://community.zeit.de/user/kai-biermann http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x38161797D4518B42 firstname.lastname@example.org
Martin Kotynek Investigativ-Ressort, DIE ZEIT http://community.zeit.de/user/martink-0 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC054E132F7576DCD email@example.com
Yassin Musharbash Investigativ-Ressort, DIE ZEIT http://community.zeit.de/user/yassin-musharbash http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB9303F5890129231 firstname.lastname@example.org
Daniel Müller Investigativ-Ressort, DIE ZEIT http://community.zeit.de/user/daniemul http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC5EC44E1FBD6D12E daniel.müller@zeit.de
TOR Hidden Service
Hushmail Secure Form
Content Delivery Network
Content Delivery Networks can provide scalable multimedia bandwidth and resistance to Denial of Service attacks, but sometimes this comes at the price of extra tracking and reduced anonymity for whisteblower sources.
Leak Submission Anonymity
Some of these techniques are appropriate for a normal website like this wiki, but not for whistleblower or tipoff websites, where potential whistleblower source anonymity protection should be paramount:
TOR users blocked from access
3rd Party or persistent tracking cookies or graphics
CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha
Mixed mode non-SSL graphics or style sheets
Embedded video clips or deep linked graphics etc. from another website e.g. YouTube
Flash file uploader class
Communications / Acknowledgement back to the whistleblower via the website
A unique submission ID is randomly generated, which can be used to access a dropbox for two way messaging / feedback from the journalists
Acknowledgement of receipt of information
e.g. file upload success indicator - has the leak message or upload actually been received successfully ?
Leak analysis work flow status reporting
e.g. Has anyone actually looked at what the whistleblower has submitted ?
Private message box
e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.
Domain Name Resilience
The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which WikiLeaks.org emulators should take note of:
Domain Name Registrar
IP address: 126.96.36.199
Host name: ssl.zeit.de
directly with denic.de
Multiple Internet Service Providers, in different legal jurisdictions ?
Domain Name Server(s) & jurisdiction(s)
Alternate Domain Name aliases
Actual Physical Mirrors of the website:
Content available via BitTorrent etc P2P etc.
Hosting of Mirrors of other whistleblowing websites
Open Source software published
briefkasten is a reasonably secure web application for submitting content anonymously. It allows to upload attachments which are then sanitized of a number of meta-data which could compromise the submitters identity. Next, the sanitized files are encrypted via GPG and sent via email to a pre-configured list of recipients. The original (potentially 'dirty') files are then deleted from the file system of the server. Thus, neither should admins with access to the server be able to access any submissions, nor should any of the recipients have access to the unsanitized raw material.
Upon successful upload the submitter receives a unique URL with a token that he or she can use to access any replies the recipients may post. That reply is the only data persisted on the server.
The current implementation should be ready for general use on a functional level, the only part that is (currently) hard-coded for the specific deployment at ZEIT ONLINE is the HTML markup in the templates and static assets such as logos and CSS, but these are easily modified, so in theory anybody should be able to host their own secure briefkasten with minimal setup pain.
A future release may contain more configurable options, but for now the main goal of publishing the code is transparency with re-usability coming in second.
This application could do with a random and / or user configurable delay between uploading a file and emailing it from the web server to the target email addresses.
Ideally there should also be regular dummy encrypted "cover traffic" streams (with randomly sized or padded attachments) into which the real emails can be hidden.