Fun_People Archive
1 Dec
How to be a Whistleblower and Keep Your Job


Content-Type: text/plain
Mime-Version: 1.0 (NeXT Mail 3.3 v118.2)
From: Peter Langston <psl>
Date: Fri,  1 Dec 100 23:34:44 -0800
To: Fun_People
Precedence: bulk
Subject: How to be a Whistleblower and Keep Your Job

X-Lib-of-Cong-ISSN: 1098-7649  -=[ Fun_People ]=-
X-http://www.langston.com/psl-bin/Fun_People.cgi
From: The Register
http://www.theregister.co.uk/content/6/14855.html

How to be a Whistleblower and Keep Your Job
By: Kieren McCarthy
Posted: 20/11/2000 at 13:22 GMT

Ever wonder why The Reg continually comes up with scoops and insider
information when our rivals seem content with rewriting press releases?
Quite simple really. Trusted sources and, more and more frequently, from
readers.

However, while we have always been discreet and careful to keep our sources
anonymous, recent changes in UK law makes this task more difficult. We're
talking of course about the RIP Act. Under the Act, police, security
services and the like are legally entitled to monitor any information moving
about within the UK. This is no great concern in itself - IT stories are,
let's be frank, rarely threatening to the security of the nation.

However, the new law has given employers extensive rights to read and
monitor employee email and phone calls. Also, big companies are more
tech-literate than ever. Because of these two changes in mindset, it is
crucially important for whistleblowers and sources of confidential
information to be aware of what can be done to trace suspected leaks.

Hence this brief guide to keeping out of the eye of powerful companies -
it's not perfect or foolproof but it's a damn sight better than not doing
it.

Initial contact
If you are contacting us for the first time with the intention of handing
over some damaging and/or confidential information, for God's sake don't
do it at work. Unless you want to fork out L50 for a phone scrambler (and
subsequently draw attention to yourself), DO NOT call direct from work.
Telephone logs are easily produced and checked and if only one person has
called our phone number, then he or she is likely to face serious problems.

Email is also easily checked. Hotmail will not give you any security -
network surveillance tools are way beyond that now.  Again, the point is
not that you will send a message and the boys in black will arrive at your
desk five minutes later, it's that if a company becomes suspicious it will
launch an enquiry and work backwards through email logs.

Private keys - PGP etc (www.pgp.com) - will stop a company being able to
tell WHAT you've written but not the fact that you have sent us an email.
If you really have to have to send us an email from work, the best thing
to do is use a Hushmail account. We have set up a secure email address:
info1857@hushmail.com for just this purpose.

This is a fairly obscure email address and if you set up a Hushmail account
(www.hushmail.com or www.cyber-rights.net), then the message will be
indecipherable. However, again, retrospective analysis by a company will
put anyone using a secure email tool under suspicion - until, that is,
everyone uses it (which won't happen anytime soon).  We also get a few
network managers reading the site, so the address won't exactly be top
secret either.

Plus, if your company is really paranoid it will have software on your
network that will be able to read every keystroke you make, so all of this
is academic.

So, the basic lesson is: if you think you could get reprimanded/sacked for
the information you plan to send us, send it to us from your home PC. The
level of security you choose to use from there is up to you.

And for those really dangerous secrets
Let's suppose you have some top secret information which will mean immediate
dismissal and loss of livelihood but you feel strongly enough to blow the
whistle you'd be wise to take some extra precautions - especially if it
could be deemed illegal (which is not difficult under the new RIP laws).

We would recommend buying a copy of Freedom (www.freedom.net). It'll cost
you $49.95 but then that's nothing compared to loss of a salary.  Freedom
will basically mask your identity while you are on the Net. The company
behind it - Zero Knowledge Systems - basically pings your IP packets through
loads of anonymous servers and makes it nigh on impossible for anyone but
the most determined investigator to track you down. That said, use Freedom
and your profile will be raised.

Equally, if you're just paranoid/sick of spam, you may find $50 a fair
price to pay for privacy.

They're onto you
If you are British, or to be more precise if you live in Britain, your home
is a risky place to store or send confidential information. Your employer,
should it suspect that you are the mole, can seek an Anton Pillar order
against you. Rarely used, because the legislation is so draconian, Anton
Pillar orders are obtained in secret, and give companies the power to raid
suspects' homes (it's the police what does the raiding) and seize anything
they consider relevant to their case. The PC and the filing cabinet will
be the first things to go in the back of the police van for inspection.

Smell the coffee
Alternatively, go to a cyber cafe (but watch out for those cameras) and
use a machine there. This isn't a bad method - after all, when 15-year-old
maths prodigy Sufiah Yusof disappeared for a few weeks, contacting regularly
her parents via email, the police were unable to track her down.  It was
eventually her continual appearance at the Click N' Link Internet cafe in
Bournemouth and the fact that her face was all over the national newspapers
which led the cafe owner to contact the police.

You, of course, will be using the cafe far less frequently and will go to
different cafes if the correspondence stretches on.

Chatrooms - just say no
Don't go badmouthing your employer/ex-employer in Internet chatrooms.
You'll get mad - but chances are they'll get even when they subpoena AOL,
MSN, Yahoo! etc. for your name, address etc. If you have to vent steam in
public, at very least, use a free email account, and give a false name and
address, won't you. There is little reason, except for your own
recklessness, why the audit trail should reach you.

Remember too, that Yahoo! (Nazi memorabila, Yeah!) and the like may spout
all they like about freedom of speech. But they do not really believe in
this guff. They are content aggregators - not content providers- and they
will sell you down the river as soon as spit.

On the other hand, newspapers (Americans are particularly good at this)
and publications like The Register will do their utmost to protect their
sources. Because that's part of the deal.

And for Colombian drug dealers?
Not that you'd want to call us anyway - The Reg maintains the media's
blatantly hypocritical attitude towards drugs - do as I say -

Well, we suggest you set up your own ISP offshore (L40,000 should do it).
Then use heavily encrypted messages under different codenames. For vocal
communication, attach a phone scrambler to a totally unsuspected phone line
and make sure there's another one at the other end, or perhaps buy a
pay-as-you-go phone and use it exclusively and for a limited time to make
contact.

That should cover it.

Alternatively, of course, you could get a pen, piece of paper, envelope
and stamp. Snail mail is the way forward, we tell you.

Remember kids: just because you're not paranoid doesn't mean they're not
out to get you.


prev [=] prev © 2000 Peter Langston []