Aaron Swartz's Last Project: Open Source System To Securely & Anonymously Submit Documents To The Press

from the add-it-to-the-long-list dept

Thu, May 16th 2013 3:32am — Mike Masnick

The New Yorker has announced a new anonymous document sharing system called Strongbox, that will allow people to anonymously and securely submit documents to reporters from the New Yorker. Other publications have tried to set up something like this -- often inspired by Wikileaks -- but for the most part, they've been full of security holes, sometimes big and serious ones. What may be more interesting than the fact that this system is being set up is the story behind it. It's based on DeadDrop, an open source system that was put together by Aaron Swartz and Kevin Poulsen.

Poulsen has the backstory of DeadDrop here, which is well worth reading. Basically, he and Aaron worked on this project on and off for quite some time, and it was only just completed a few weeks before Aaron's death. The full story is worth reading, though here's a snippet:

I wondered about this young tech-startup founder who put his energy into the debate over corporate-friendly copyright term extensions. That, and his co-creation of an anonymity project called Tor2Web, is what I had in mind when I approached him with the secure-submission notion. He agreed to do it with the understanding that the code would be open-source—licensed to allow anyone to use it freely—when we launched the system.

He started coding immediately, while I set out to get the necessary servers and bandwidth at Conde Nast. The security model required that the system be under the company’s physical control, but with its own, segregated infrastructure. Requisitioning was involved. Executives had questions. Lawyers had more questions.

Poulsen also notes that there were questions raised about the code after Aaron's death, but those were eventually sorted out:

By December, 2012, Aaron’s code was stable, and a squishy launch date had been set. Then, on January 11th, he killed himself. In the immediate aftermath, it was hard to think of anything but the loss and pain of his death. A launch, like so many things, was secondary. His suicide also raised new questions: Who owned the code now? (Answer: he willed all his intellectual property to Sean Palmer, who gives the project his blessing.) Would his closest friends and his family approve of the launch proceeding? (His friend and executor, Alec Resnick, reports that they do.) The New Yorker, which has a long history of strong investigative work, emerged as the right first home for the system.

Of course, Poulsen leaves out his own history here as well. As (perhaps?) many of you know, Poulsen was a somewhat infamous hacker back in the day who eventually (after avoiding law enforcement for quite some time) went to prison for some of his hacks. Since then, he's become one of my favorite journalists, writing for SecurityFocus and then Wired (and writing a wonderful book, Kingpin about some more recent hackers). While Poulsen and Swartz met long before Swartz was indicted -- and Swartz and Poulsen were indicted for very different types of activities -- having the two of them work together on a project like this is really quite fascinating.

The unfortunate part of all of this, of course, is that DeadDrop is basically Aaron's "final project." Given how much he accomplished prior to that in his short life, it's just one more thing to add to a very long list of incredible accomplishments, but yet another reminder of how much potential was wiped away by his suicide.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: aaron swartz, anonymity, deaddrop, journalism, kevin poulsen, open source, strongbox, the new yorker
Companies: conde nast

26 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 16 May 2013 @ 4:08am

Why not let it take pictures of the uploaded documents to erase anything that may be hidden by someone who does not want their shit leaked?
[ link to this | view in chronology ]
- Anonymous Coward, 16 May 2013 @ 4:28am
  
  Re:
  Because that opens up an attack vector (through JPEG exploits etc).
  [ link to this | view in chronology ]
- Anonymous Coward, 16 May 2013 @ 7:45am
  
  Re:
  That's why the documents are only viewed on an offline machine that has no network access, and is booted from a readonly LiveCD... and then erased completely every time it's booted thereafter.
  
  In other words, there should be nothing the originator of the docs can do to alert them that the docs are "out there".
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 May 2013 @ 7:54am
    
    Re: Re:
    Besides, pictures can't really do justice to something like a database, or otherwise large amount of data that requires "mining" to reveal its secrets.
    [ link to this | view in chronology ]
Anonymous Coward, 16 May 2013 @ 4:27am

[OT] Reminder: House Judiciary on Copyright Reform
[Off-Topic] Reminder: The House Judiciary's Subcommittee on Courts, Intellectual Property and the Internet will be holding a hearing today on copyright reform.

A Case Study for Consensus Building: The Copyright Principles Project
Thursday 5/16/2013 - 2:00 p.m.
2141 Rayburn House Office Building

Last week's Techdirt article.
[ link to this | view in chronology ]
indy, 16 May 2013 @ 4:33am

All the security in the world can't help
Will be subverted by keylogging via phishing stupid reporters.
[ link to this | view in chronology ]
- Anonymous Coward, 16 May 2013 @ 4:49am
  
  Re: All the security in the world can't help
  Not with the laptop being used to access the system being wiped every time it boots. What is more likely is that the central servers will be attacked in an attempt to disable the system if they can't subvert it.
  [ link to this | view in chronology ]
- Anonymous Coward, 16 May 2013 @ 5:18am
  
  Re: All the security in the world can't help
  Or government subpoenas, but who counts...
  [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 16 May 2013 @ 6:07am

Kids, this REQUIRES trustable "man-in-the-middle"!
So it's MUCH MORE risky than uploading from an internet cafe to several file hosts, the files plainly named, and just relying on the info being recognized by someone.

Why does this require Tor, Conde Nast, and The New Yorker, all three of which are suspect, besides the usual other network weak points? This looks designed to funnel leaks straight into "old media", where are definitely stenographers on gov't payroll calling themselves "journalists".

Then there's this tacit admission: "he willed all his intellectual property" -- SO intellectual property IS a legitimate concept! Guess it only counts when you wish.
[ link to this | view in chronology ]
- Machin Shin (profile), 16 May 2013 @ 7:07am
  
  Re: Kids, this REQUIRES trustable "man-in-the-middle"!
  Are you really as stupid as you seem or are you just too lazy to actually read what your commenting on?
  
  "Kids, this REQUIRES trustable "man-in-the-middle"!"
  
  How do you figure this? This system has you first get on Tor, hiding your identity, you then upload files that are encrypted to a server(you know, as in the people who own server cant see what it is because umm ITS ENCRYPTED) Then the people at The New Yorker check the box and download the still encrypted data, they then move it to a special computer that is not even online, there they can finally decrypt it.
  
  So, where is this "man in the middle" going to grab the data?
  
  Also... Stenographers? really?
  
  "Definition of STENOGRAPHER
  1: a writer of shorthand
  2: a person employed chiefly to take and transcribe dictation "
  
  Oh No!!! The government has people who can write SHORTHAND!!!!
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 May 2013 @ 8:29am
    
    Re: Re: Kids, this REQUIRES trustable "man-in-the-middle"!
    When you link a definition, read all the definitions. Just saying.
    [ link to this | view in chronology ]
- Anonymous Coward, 16 May 2013 @ 7:32am
  
  Re: Kids, this REQUIRES trustable "man-in-the-middle"!
  "Man in the middle"? For fuck's sake, every single "anti-corporate" rant you post claims to be against the practice of grifting, i.e. being a man in the middle handling administrative bullshit.
  [ link to this | view in chronology ]
- Anonymous Coward, 16 May 2013 @ 7:42am
  
  Re: Kids, this REQUIRES trustable "man-in-the-middle"!
  Then there's this tacit admission: "he willed all his intellectual property" -- SO intellectual property IS a legitimate concept! Guess it only counts when you wish.
  
  Uh, you do realize that indented paragraphs in italics are quotes from the source article, right? Mike is not admitting to anything, tacitly or otherwise, simply by quoting Kevin Poulsen in a report on things Kevin Poulsen said.
  [ link to this | view in chronology ]
- Coyote (profile), 16 May 2013 @ 7:38pm
  
  Re: Kids, this REQUIRES trustable "man-in-the-middle"!
  Intellectual property is a legitimate concept, but as it exists in its' current form -- last I read, 75+ creator's lifespan, which is ludicrous -- it is pretty bull.
  
  That being said, I suspect you assume people [sorry, "pirates."] think that it isn't, and only choose to copy it [whoops, there I go again. "Steal." is probably the only word you'll recognize].
  
  Besides that, using someone's death to further an agenda of further copyright restrictions is just stupid and nonsensical. This can only mean good things, especially since it's the New Yorker -- one of the few 'old media' as you call them, that people trust [though I've personally never heard of them, so I cannot comment on whether or not I trust them.]
  
  Tor is not 'suspect.' Tor is used to legitimately, along with V.P.N. hide your net address and provides actual internet anonymity, something that is REQUIRED nowadays since the Wikileaks situation, to leak information and documents to get them out to the public.
  
  Regardless if it's used to go into the Deep Web for CP, the black market, etc. it also has legitimate uses. Stop pretending everything you do not like has no legitimate uses in today's world, and that the current networks we have are secure -- they aren't. I don't know why you assume Conde Nast is suspect; I suspect that's more from ignorance than actual awareness or knowledge of it, and just deciding to spout off 'this is terribibible! oh my gooooooood!!!!' rather than actually thinking this through.
  [ link to this | view in chronology ]
  - tqk (profile), 17 May 2013 @ 7:41am
    
    Re: Re: Kids, this REQUIRES trustable "man-in-the-middle"!
    Intellectual property is a legitimate concept ...
    
    No, it's not. Substitute "imaginary" for "intellectual", and it becomes clear. How do you transfer a thought held in one person's imagination to another person? You can describe it in words, or perform it in their presence, but there's no guarantee they'll then have the same thought that you're imagining. In fact, they'll immediately translate or transform it based on their personal point of view. It can't possibly be a one to one transferrance.
    
    Throw the concept out. It's meaningless.
    [ link to this | view in chronology ]
Anonymous Coward, 16 May 2013 @ 8:23am

So ... his last project was basically WikiLeaks? Gee, wonder how well that would have gone over with the government.
[ link to this | view in chronology ]
weneedhelp (profile), 16 May 2013 @ 8:45am

an elaborate system
to get docs to our mainstream media... Why? They wont do a thing with it.
[ link to this | view in chronology ]
Nicholas Weaver (profile), 16 May 2013 @ 9:32am

Far easier ways...
Technology is not the primary solution, good operational security (OPSEC) is.

E.g. http://www.wired.com/opinion/2013/05/listen-up-future-deep-throats-this-is-how-to-leak-to-the-press- today/
is my discussion of the problem.
[ link to this | view in chronology ]
- RonKaminsky (profile), 16 May 2013 @ 1:00pm
  
  Re: Far easier ways...
  Your advice seems to ignore the relative ubiquity of surveillance cameras. Or did I miss something?
  [ link to this | view in chronology ]
Anonymous Coward, 16 May 2013 @ 11:27am

" it's just one more thing to add to a very long list of incredible accomplishments,"

very long list ???

I could possibly 3, stole some documents (and got caught), wrote some code, killed himself..
[ link to this | view in chronology ]
- RonKaminsky (profile), 16 May 2013 @ 12:19pm
  
  Re:
  As opposed to crawling out from under a rock and posting on Techdirt? Your post shows how little you actually understand the legal reality of what happened...
  
  BTW, the most important thing he did (which you missed --- perhaps because of a blind spot?) was probably this: he made a lot of friends (not necessarily close personal ones) and gained a lot of respect.
  [ link to this | view in chronology ]
- tqk (profile), 17 May 2013 @ 7:54am
  
  Re:
  I could possibly 3 [sic], stole some documents (and got caught), wrote some code, killed himself..
  
  I see you enjoy displaying your ignorance:
  
  Swartz was involved in the development of the web feed format RSS,[4] the organization Creative Commons,[5] the website framework web.py[6] and the social news site Reddit, in which he was an equal partner after its merger with his Infogami company.[i] Swartz also focused on sociology, civic awareness and activism.[7][8] In 2010, he became a research fellow at Harvard University�s Edmond J. Safra Research Lab on Institutional Corruption, directed by Lawrence Lessig.[9][10] He founded the online group Demand Progress, known for its campaign against the Stop Online Piracy Act.
  
  Do you have a wikipedia page, or are your many accomplishments listed anywhere online?
  [ link to this | view in chronology ]
Anonymous Coward, 16 May 2013 @ 11:34am

Deadrop
does anyone else get the irony of the name of this project ?

And clearly Aaron believe copyright and IP is something real and physical, why else put it in his will?
[ link to this | view in chronology ]
- RonKaminsky (profile), 16 May 2013 @ 12:14pm
  
  Re: Deadrop
  > something real
  
  Of course he thought it was real (as in, currently a legal reality), why do you think he was so careful not to infringe?
  
  > and physical
  
  Now you're letting your stupidity show.
  [ link to this | view in chronology ]
- John Fenderson (profile), 16 May 2013 @ 12:33pm
  
  Re: Deadrop
  Even if your characterization of his point of view is correct, why does it matter?
  [ link to this | view in chronology ]
- Anonymous Coward, 16 May 2013 @ 7:15pm
  
  Re: Deadrop
  Hee hee! darryl told a funny! Aren't you a special little gremlin.
  [ link to this | view in chronology ]