The New Yorker has announced a new anonymous document sharing system called Strongbox, that will allow people to anonymously and securely submit documents to reporters from the New Yorker. Other publications have tried to set up something like this — often inspired by Wikileaks — but for the most part, they’ve been full of security holes, sometimes big and serious ones. What may be more interesting than the fact that this system is being set up is the story behind it. It’s based on DeadDrop, an open source system that was put together by Aaron Swartz and Kevin Poulsen.
Poulsen has the backstory of DeadDrop here, which is well worth reading. Basically, he and Aaron worked on this project on and off for quite some time, and it was only just completed a few weeks before Aaron’s death. The full story is worth reading, though here’s a snippet:
I wondered about this young tech-startup founder who put his energy into the debate over corporate-friendly copyright term extensions. That, and his co-creation of an anonymity project called Tor2Web, is what I had in mind when I approached him with the secure-submission notion. He agreed to do it with the understanding that the code would be open-source—licensed to allow anyone to use it freely—when we launched the system.
He started coding immediately, while I set out to get the necessary servers and bandwidth at Conde Nast. The security model required that the system be under the company’s physical control, but with its own, segregated infrastructure. Requisitioning was involved. Executives had questions. Lawyers had more questions.
Poulsen also notes that there were questions raised about the code after Aaron’s death, but those were eventually sorted out:
By December, 2012, Aaron’s code was stable, and a squishy launch date had been set. Then, on January 11th, he killed himself. In the immediate aftermath, it was hard to think of anything but the loss and pain of his death. A launch, like so many things, was secondary. His suicide also raised new questions: Who owned the code now? (Answer: he willed all his intellectual property to Sean Palmer, who gives the project his blessing.) Would his closest friends and his family approve of the launch proceeding? (His friend and executor, Alec Resnick, reports that they do.) The New Yorker, which has a long history of strong investigative work, emerged as the right first home for the system.
Of course, Poulsen leaves out his own history here as well. As (perhaps?) many of you know, Poulsen was a somewhat infamous hacker back in the day who eventually (after avoiding law enforcement for quite some time) went to prison for some of his hacks. Since then, he’s become one of my favorite journalists, writing for SecurityFocus and then Wired (and writing a wonderful book, Kingpin about some more recent hackers). While Poulsen and Swartz met long before Swartz was indicted — and Swartz and Poulsen were indicted for very different types of activities — having the two of them work together on a project like this is really quite fascinating.
The unfortunate part of all of this, of course, is that DeadDrop is basically Aaron’s “final project.” Given how much he accomplished prior to that in his short life, it’s just one more thing to add to a very long list of incredible accomplishments, but yet another reminder of how much potential was wiped away by his suicide.