- Ever wonder why The Reg continually comes up with scoops
and insider information when our rivals seem content with rewriting press
releases? Quite simple really. Trusted sources and, more and more frequently,
from readers.
-
- However, while we have always been discreet and careful
to keep our sources anonymous, recent changes in UK law makes this task
more difficult. We're talking of course about the RIP Act. Under the Act,
police, security services and the like are legally entitled to monitor
any information moving about within the UK. This is no great concern in
itself - IT stories are, let's be frank, rarely threatening to the security
of the nation.
-
- However, the new law has given employers extensive rights
to read and monitor employee email and phone calls. Also, big companies
are more tech-literate than ever. Because of these two changes in mindset,
it is crucially important for whistleblowers and sources of confidential
information to be aware of what can be done to trace suspected leaks.
-
- Hence this brief guide to keeping out of the eye of powerful
companies - it's not perfect or foolproof but it's a damn sight better
than not doing it.
-
- Initial contact
-
- If you are contacting us for the first time with the
intention of handing over some damaging and/or confidential information,
for God's sake don't do it at work. Unless you want to fork out £50
for a phone scrambler (and subsequently draw attention to yourself), DO
NOT call direct from work. Telephone logs are easily produced and checked
and if only one person has called our phone number, then he or she is likely
to face serious problems.
-
- Email is also easily checked. Hotmail will not give you
any security - network surveillance tools are way beyond that now. Again,
the point is not that you will send a message and the boys in black will
arrive at your desk five minutes later, it's that if a company becomes
suspicious it will launch an enquiry and work backwards through email logs.
-
- Private keys - PGP etc (www.pgp.com) - will stop a company
being able to tell WHAT you've written but not the fact that you have sent
us an email. If you really have to have to send us an email from work,
the best thing to do is use a Hushmail account. We have set up a secure
email address: info1857@hushmail.com for just this purpose.
-
- This is a fairly obscure email address and if you set
up a Hushmail account (www.hushmail.com or www.cyber-rights.net), then
the message will be indecipherable. However, again, retrospective analysis
by a company will put anyone using a secure email tool under suspicion
- until, that is, everyone uses it (which won't happen anytime soon). We
also get a few network managers reading the site, so the address won't
exactly be top secret either.
-
- Plus, if your company is really paranoid it will have
software on your network that will be able to read every keystroke you
make, so all of this is academic.
-
- So, the basic lesson is: if you think you could get reprimanded/sacked
for the information you plan to send us, send it to us from your home PC.
The level of security you choose to use from there is up to you.
-
- And for those really dangerous secrets
-
- Let's suppose you have some top secret information which
will mean immediate dismissal and loss of livelihood but you feel strongly
enough to blow the whistle you'd be wise to take some extra precautions
- especially if it could be deemed illegal (which is not difficult under
the new RIP laws).
-
- We would recommend buying a copy of Freedom (www.freedom.net).
It'll cost you $49.95 but then that's nothing compared to loss of a salary.
Freedom will basically mask your identity while you are on the Net. The
company behind it - Zero Knowledge Systems - basically pings your IP packets
through loads of anonymous servers and makes it nigh on impossible for
anyone but the most determined investigator to track you down. That said,
use Freedom and your profile will be raised.
-
- Equally, if you're just paranoid/sick of spam, you may
find $50 a fair price to pay for privacy.
-
- They're onto you
-
- If you are British, or to be more precise if you live
in Britain, your home is a risky place to store or send confidential information.
Your employer, should it suspect that you are the mole, can seek an Anton
Pillar order against you. Rarely used, because the legislation is so draconian,
Anton Pillar orders are obtained in secret, and give companies the power
to raid suspects' homes (it's the police what does the raiding) and seize
anything they consider relevant to their case. The PC and the filing cabinet
will be the first things to go in the back of the police van for inspection.
-
- Smell the coffee
-
- Alternatively, go to a cyber café (but watch out
for those cameras) and use a machine there. This isn't a bad method - after
all, when 15-year-old maths prodigy Sufiah Yusof disappeared for a few
weeks, contacting regularly her parents via email, the police were unable
to track her down. It was eventually her continual appearance at the Click
N' Link Internet café in Bournemouth and the fact that her face
was all over the national newspapers which led the café owner to
contact the police.
-
- You, of course, will be using the café far less
frequently and will go to different cafes if the correspondence stretches
on.
-
- Chatrooms - just say no
-
- Don't go badmouthing your employer/ex-employer in Internet
chatrooms. You'll get mad - but chances are they'll get even when they
subpoena AOL, MSN, Yahoo! etc. for your name, address etc. If you have
to vent steam in public, at very least, use a free email account, and give
a false name and address, won't you. There is little reason, except for
your own recklessness, why the audit trail should reach you.
-
- Remember too, that Yahoo! (Nazi memorabila, Yeah!) and
the like may spout all they like about freedom of speech. But they do not
really believe in this guff. They are content aggregators - not content
providers- and they will sell you down the river as soon as spit.
-
- On the other hand, newspapers (Americans are particularly
good at this) and publications like The Register will do their utmost to
protect their sources. Because that's part of the deal.
-
- And for Colombian drug dealers?
-
- Not that you'd want to call us anyway - The Reg maintains
the media's blatantly hypocritical attitude towards drugs - do as I say
-
-
- Well, we suggest you set up your own ISP offshore (£40,000
should do it). Then use heavily encrypted messages under different codenames.
For vocal communication, attach a phone scrambler to a totally unsuspected
phone line and make sure there's another one at the other end, or perhaps
buy a pay-as-you-go phone and use it exclusively and for a limited time
to make contact.
-
- That should cover it.
-
- Alternatively, of course, you could get a pen, piece
of paper, envelope and stamp. Snail mail is the way forward, we tell you.
-
- Remember kids: just because you're not paranoid doesn't
mean they're not out to get you.
-
- http://www.theregister.co.uk/content/1/14855.html
|