How much would you trust Rupert Murdoch and News Corporation? Based on News Corporation’s attempt to emulate Wikileaks with its own anonymous leaks site, the answer is not at all.
The site has turned into a debacle mere hours after launch, with crippling holes in its cyber security being uncovered.
Yesterday, The Wall Street Journal launched its own attempt at an anonymous dropbox for leaks, and showed either a splendid sense of irony or a complete lack of one by editorializing at the same time calling for consideration of the prosecution of Julian Assange.
A number of mainstream media outlets have announced they are attempting to establish Wikileaks-like anonymous servers for whistleblowers to dump information with full anonymity, in addition to the spread of copycat online sites like Openleaks (as Wikileaks itself had drawn strongly on the tradition of whistleblower sites like Cryptome). Al Jazeera already has one up and running; both The New York Times and The Guardian, which have turned into venomous opponents of Julian Assange, declared they would be establishing copycat systems. But it appeared News Corporation had beaten them to it with its “Safehouse” site.
But within hours, cyber-security experts had forensically demolished News Corp’s claims for the site. Net activist and Tor developer Jacob Appelbaum led the charge, tweeting flaw after flaw in the Wall Street Journal’s IT security measures, including that the system may allow a third party to intercept someone when they move from the unencrypted frontpage of the site to the encrypted section that uses Secure Socket Layer (SSL) encryption.
An Australian IT industry professional outlined the major flaws to Crikey, saying “I found some of the SSL issues myself within 5 minutes of waking up this morning, using off the shelf web browser tools and sensible, safe, mobile web browser settings.” Flaws include that the WSJ’s SSL certificate – used to authenticate encrypted communications – isn’t strict enough, meaning Google’s Chrome browser can’t work in Incognito mode, that it requires Flash to upload files when Flash is insecure and can leave hidden cookies, and key anonymisation tools like Tor simply aren’t working on the site (Appelbaum tweeted the result of trying to use Tor).
In short, the site doesn’t contain the most basic protections against third parties intercepting information about submitters, or against the process leaving an electronic trail on the PCs of submitters they may not be aware of. In its rush to set the site up, WSJ failed to address basic security questions that could make a huge difference to whether the whistleblowers it is calling for remain protected or not.
However, the real problem of Safehouse has nothing to do with its IT security. The biggest problem is wholly intentional. The site’s Terms and Conditions state
Except when we have a separately negotiated confidentiality agreement pursuant to the “Request Confidentiality” Section above, we reserve the right to disclose any information about you to law enforcement authorities or to a requesting third party, without notice, in order to comply with any applicable laws and/or requests under legal process, to operate our systems properly, to protect the property or rights of Dow Jones or any affiliated companies, and to safeguard the interests of others.
In short, submit material to News Corporation at your own risk, because they may shop you to the Feds, or to another company angered at your whistleblowing, without even telling you, and they don’t even need to be legally compelled to do so – they might just do it to “operate their systems properly” or “safeguard the interests of others”.
It’s an original approach – WSJ is offering the only whistleblower site in the world that promises they’ll dob you in just because they feel like it.
Rather like the Myspace disaster, it smacks of News Corp desperate to show off its digital media credentials without seemingly having the faintest clue about what it is actually doing.
This article initial described Jacob Applebaum as a “Tor founder”; he is in fact a Tor maintainer and developer.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.