You received a leak, now what?

A hands-on OPSEC simulation

Alex Pyrgiotis
Freedom of the Press Foundation
Kolja Weber
FlokiNet

Aspects of a tip

1. First contact

How sources learn where to send tips.

2. GrapheneOS + Signal = ❤️

Hardening the mobile tipline

3. Perimeter security

Walls have ears, we have gears.

4. QubesOS + SecureDrop = ❤️

Compartmentalization as a defense.

5. Post-verification

Store it, share it, publish it, without burning your source.

Part I

The first-contact problem

How sources learn where to send tips.

The tipline situation in 2013

In 2013, an anonymous user contacted Micah Lee, then staff technologist at EFF
and CTO at Freedom of the Press Foundation:

From: anon108@■■■■■■■■■
To: Micah Lee
Date: Fri, 11 Jan 2013

Micah,

I’m a friend. I need to get information securely to Laura Poitras and her alone, but I can’t find an email/gpg key for her.

Can you help?

Source: The Intercept — Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You.

The tipline situation in 2013

That person was paranoid enough about security that even though they acquired
Laura's PGP key, they proposed Micah to tweet it, just to be sure.

From: 303@riseup.net
To: Micah Lee
Date: Mon, 28 Jan 2013

Hey Micah,
This is Laura Poitras.
Someone is trying to verify my fingerprint to this email. The person has proposed you tweet the fingerprint. Would you be able to tweet this to your acct:
1EBF 5F15 850C 540B 3142 F158 4BDD 496D 4C6C 5F25
Let me know if possible.
Thanks,
Laura

fg

Would you go through those hoops?

Tiplines must be advertised to everyone

Washington Post - Blended with the news articles

fg

Source: Promoting Your SecureDrop Instance




Yes, even in print.







Source: Promoting Your SecureDrop Instance

The tipline landing page

What IT should know:

  • No subdomains: use newsroom.org/tips not tips.newsroom.org
  • No analytics: no trackers, zero logs
  • Tor-friendly no captchas, no Javascript
  • Trustworthy hosting provider: censorship-resistant, zero logs

The tipline landing page

What sources should know:

  • Not from work: no corporate devices, no corporate network
  • Public spaces: cafes, libraries, anywhere not associated with you
  • Files have fingerprints: leaked files may get traced back to you
  • Instructions: how to securely use Signal/SecureDrop/etc.
  • Loose lips sink ships: never discuss whistleblowing activities

Chelsea Manning: what can go wrong

In 2010, Chelsea Manning was leaking classified documents. She felt isolated and confided in Adrian Lamo, a former "grey hat" hacker, via encrypted chat.

Manning wrote: "but im not a source for you ... im talking to you as someone who needs moral and emotional fucking support", and Lamo replied: "i told you, none of this is for print."

Spoiler alert: it was.

Source: Wikipedia — Chelsea Manning

Where do we go from here?

A lot of things can go wrong. A lot of things can go right, as we learned from the now distant 2013.

In 2026, we have new tools and more experience.

Let's go deeper.

Part II

GrapheneOS + Signal = ❤️

Hardening the mobile tipline

What Signal knows about you

  • Signal publishes the subpoena orders that are not gagged in https://signal.org/bigbrother
  • Latest subpoena shows that Signals stores very little info:

We received a grand jury subpoena from the United States District Court for the District of Columbia which requested customer or subscriber account information for a list of 37 phone numbers. Specifically, it asked us to produce the account creation date and time, as well as the last connection date and time for those accounts. This showcases increasing awareness of the remarkably little information Signal can make available in response to such requests in the first place.

Source: Signal — Grand jury subpoena for Signal user data in the United States District Court for the District of Columbia, 06 Mar 2026

What Signal knows about you

Information How is it used Transient?
Phone number Used to fight spam, switch devices, discover contacts ❌
IP address Used for rate limitting ✅
Ephemeral keys/tokens Necessary to send messages, establish calls ✅
Registration PIN Prevent account hijiacking ❌
Device creation date Used when listing linked devices ❌
Last connection date Used for device expiration logic ❌

What Signal knows about you

If Signal was forced to conduct active traffic analysis, the IP
addresses and ephemeral keys could help law enforcement build a graph of
who talks with whom.

Quick Signal wins

Setting Why it matters
Sealed sender Harder for Signal/AWS to track who talks with whom
Sealed sender -> Allow from anyone (see above)
Disable link previews Previews = IP leak to the server behind the link
Registration lock Blocks SIM-swap hijacking
No notification content (iOS-only) (unnecessary as of May 2026) Do not store incoming messages to device

Importance of Registration Lock

On January 2026, dozens of journalists became the target of a phishing attack by
a fraudulent "Signal Security Support ChatBot" account:

Dear User, this is Signal Security Support ChatBot. We have noticed suspicious activity on your device, which could have led to data leak. We have also detected attempts to gain access to your private data in Signal. To prevent this, you have to pass verification procedure, entering the verification code to Signal Security Support Chatbot. DON’T TELL ANYONE THE CODE, NOT EVEN SIGNAL EMPLOYEES.

Possible end goal:

  • Reveal who communicates with whom.
  • Read messages after takeover.

Source: Netzpolitik — Numerous journalists targeted in attack via Signal Messenger

What about the device itself?

On January 2026 (again!) the FBI raided the home of Washington Post reporter Hannah Natanson, to gain access to her Signal contacts, which included at least 1,169 former and present US federal employees.

Here's what we know from a court order:

[...] Because the iPhone was in Lockdown mode, CART could not extract that device

Source: 404 Media — FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled

How Cellebrite and others work

Important terms:

  • BFU (Before First unlock)
    Device powered off or just booted
  • AFU (After First unlock)
    Device has been unlocked at least once
  • TPM (Trusted Platform Module)
    Onboard-chip that prevents PIN guessing
    • Available on iOS and certain Android devices.

Source: GrapheneOS Discussion Forum: New Cellebrite capability obtained in Teams meeting
Date: October 29, 2025

Cat and mouse game

  • Lagging a bit behind iOS / Pixel releases
  • Android devices without TPM can be trivially extracted
  • BFU (passphrase) > BFU (PIN) > AFU
  • GrapheneOS has a section of its own and no serious exploit

Quick phone wins

Setting Why it matters
Lockdown mode (iOS) Protection against device seizures/spyware
Advanced Protection (Android) Protection against device seizures/spyware
No SIM card (newsroom devices) lots of 0-days target SMS/MMS

GrapheneOS

Setting Why it matters
Auto-reboot Brings device to BFU if not unlocked for N hours
Disable USB port on lock screen Prevents software bugs
Sandboxed Google Play Makes Google integration smaller
User profiles Different settings/passwords/apps per profile
Hardware attestation Protection against evil-maid attacks
Duress password Wipe device in case of physical intimidation

Live demo: GrapheneOS + Signal

  • Simple installation
  • User profiles (personal, tips, vaults)
  • Receiving a tip via Signal
  • Device VPN (Orbot)
  • Secure PDF viewer / browser

Part III

Perimeter security

Walls have ears, we have gears.

Perimeter security

  • A simple alarm system goes a long way.
  • A Rayhunter device can inform you
    of frequency eavesdroppers (IMSI catchers).
  • A faraday bag (right) can also help in special occasions.

IMSI catchers

A device that acts like a mobile tower.

  • They can collect who was in the same area with another person.
  • They can collect data and metadata for calls.
  • They can act as radio jammers.
  • They can downgrade the communications protocol to a weaker one, like 2G/3G.
    • Unless you have GrapheneOS :-)

Were you in IJF this year perhaps?

Part IV

QubesOS + SecureDrop = ❤️

Compartmentalization as a defense.

Remember that WaPo reporter?

FBI also seized her Macbook, portable hard drive and audio recording device

fg

... and gained access to it

fg

Source: Freedom of the Press Foundation — Five security lessons from the FBI’s Washington Post raid

Remember that WaPo reporter?

Then they took pictures and video recordings of the conversations and the attachments, because they noticed "Disappearing messages" were turned on.

fg

Source: Freedom of the Press Foundation — Five security lessons from the FBI’s Washington Post raid

Possible outcomes

  • The FBI knows the display names / avatars of her Signal sources.
  • They can work in reverse and subpoena Signal to give them the phone numbers.
    • We are not aware of any such action yet.

Signal has managed to wrangle source confidentiality and ease of use extremely well.

Sources with a different threat model may choose to use SecureDrop.

And that's a much different beast...

SecureDrop overview - Sources

  • Sources visit Tor site, receive a long codename.
  • Sources can send messages, attachments.
  • Sources can learn about replies only if they visit again.

SecureDrop overview - Journalists

Journalists have two laptops and four USB keys.

Realistically, interacting with submissions takes a lot of time.

fg

Can we have a single laptop please?

Qubes OS

  • Linux-based OS
  • Same target group as Tails
  • ... but everything is a VM
  • Different window colors per environment
  • Not a daily driver, but a special-purpose machine

No need for different Tails keys!

Live Demo: QubesOS + SecureDrop

  • Personal, work, vault environments
  • Safe file viewing and printing
  • Search messages, export transcripts

Part V

Post-verification

Store it, share it, publish it, without burning your source.

Post-verification

You have verified in a secure fashion that the material is important.

Possible scenarios:

  • Store it
  • Share it privately
  • Go public

Store it offline

Use Veracrypt on any USB drive!

  • Available on Windows/macOS
  • Third-party support on Android/iOS
  • Open-source
  • Offers plausible deniability

fg

Plausible deniability

A Veracrypt drive can consist of two volumes:

  • Outer volume: Place decoy files in there (tax / health records, previous
    investigations).
  • Inner (hidden) volume: Place sensitive files in there.

In duress, offer the password of the outer volume.

fg

Making it tamper-evident

In cases of:

  • Shipping USB drive to someone
  • Crossing borders
  • Long-term storage

Source: dys2p.com — Random Mosaic – Detecting unauthorized physical access with beans, lentils and colored rice

fg

UPS package that Micah used to ship a Tails key to Glenn Greenwald.

(notice "Flash Drive Gift" at the bottom)

Source: The Intercept — Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You.

Making it tamper-evident (the boring way)

One way is to buy tamper evident bags...

fg

... but if your threat model is law enforcement, assume that they have ways around it.

(here, it's just a syringe with acetone)

Source: DEF CON 30 - Tamper Evident Village

Making it tamper-evident (the fun way)

  1. Grab a bean mix
  2. Wrap the USB drive with plastic wrap
  3. Put the beans and the USB drive in a vacuum bag
  4. Seal it with a vacuum sealer
  5. Take a picture of it from both sides
  6. Verify the mosaic with BlinkComparison (Android-only)

Source: dys2p.com — Random Mosaic – Detecting unauthorized physical access with beans, lentils and colored rice

fg

Showcase of how blink comparison works

Store it online

  • Proton Drive offers end-to-end encryption.
  • For the paranoid, you can even create an anonymous account using Tor.

Sharing it privately

  • Anonymous tips cannot always be trusted.
  • The fact that you opened it in QubesOS /GrapheneOS safely does not mean others have the same system.
  • Files must be sanitized.

Phony whistleblowers

The lure of confidential info was used against ICIJ journalists since April 2025 by Chinese state actors pretending to be whistleblowers:

fg

The email included a link that “Bai” said led to an archive full of confidential records. ICIJ concluded that the link was likely malicious, the whistleblower a fake, and the email a clumsy attempt to steal the reporter’s login details to access source information and other sensitive data.

Source (left): The Citizen Lab — How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression
Source (right): ICIJ — Phony whistleblowers, fake journalists and cyber spies: ICIJ network targeted after China Targets probe

Dangerzone

  • Open source desktop app
  • Maintained by Freedom of the Press Foundation
  • Supports Windows, macOS, Linux, Tails, Qubes
  • Supports more than 20 file types (PDFs, office, images)
  • https://dangerzone.rocks

fg

Going public

The material may have de-anonymization vectors that point back to the source.

Let's see some prominent examples.

Exhibit A - Simple metadata (multimedia)

fg

fg

⚠Photos may contain location and author info

Source: Wired — Oops! Did Vice Just Give Away John McAfee's Location With Photo Metadata?

Exhibit B - Complex metadata (PDF, MS Office)

fg

fg

⚠ PDFs and office documents may contain nested metadata.
Think embedded photos, Word’s tracking changes feature.

Source: The Register — Metadata ruins Google's anonymous eBay Australia protest

Exhibit C - Redactions

fg

fg

⚠ Redactions do not work if in a layer or not opaque

Source: The Verge — Sony’s confidential PlayStation secrets just spilled because of a Sharpie

Exhibit D - Physical watermarks

fg

fg

⚠ Printed documents may contain tracking dots

Source: The Atlantic — The Mysterious Printer Code That Could Have Led the FBI to Reality Winner

Exhibit E - Digital watermarks

fg

fg

⚠ Digital material accessible only to you may have invisible watermarks

Source: The Intercept — How Elon Musk Says He Catches Leakers at His Companies

Exhibit F - Canary tokens

fg

  • Most sane document viewers block them silently.
  • Microsoft Office asks to enable macros.
  • Adobe Acrobat asks if it's ok to connect to site.
  • Deanonymization is a click away.

⚠ Trapped documents may phone home in major viewers

Source: Austin Martin — Canary Tokens

Exhibit G - Fingerprinting

fg

  • Cameras, mics are subject to fingerprinting
  • Your way of writing is a fingerprint (stylometry)
  • Unlike watermarking, fingerprinting is useful only with a second match (much like human fingerprints)

⚠ A/V equipment and writing style can be fingerprinted

Source: Digital Image Forensics: Camera Fingerprint and its Robustness

Exhibit H - Environment

fg

fg

⚠ Cameras, microphones capture the surrounding environment

Source: Koreaboo — Japanese “Sasaeng” Tracked down a Female Idol’s Home by Zooming in on the Reflection in Her Eyes

Going public

Practical advice:

  • Ensure that the source used disposable equipment not tied to them.
  • Ensure that the documents were not directed to the source.
  • Sanitize documents before publication:

OPSEC works!

KRIK protected their source by not providing the prosecutors office with the original recording of an incriminating discussion.

In its latest letter to KRIK, the prosecutor’s office claims the recording is needed for forensic examination and insists it is not asking the newsroom to reveal its source, only to provide the recording itself — either the original, its “closest copy,” or the device on which it was recorded. The letter again threatens journalists with a fine if they fail to comply.

Source: OCCRP — Serbian Prosecutors Threaten KRIK with Fine if it Fails to Submit Recording of a Conversation

OPSEC works!

Radio New Zealand protected their source by not disclosing the document format that the source provided to them.

[...] the investigator interviewed more than 40 people including those who accessed the Budget report "via SharePoint", received a copy of the report as an email attachment, or had printed it. [...] It was unclear which version the reporter had seen.

The Investigator asked to speak to the RNZ reporter [...] to discuss matters such as the file format and version of the Budget Report disclosed to him. The reporter and Radio New Zealand via its legal representation declined to do so.

Source: Radio New Zealand — Ministry of Education's $20,000 inquiry fails to find Budget leak to RNZ

Thank you

Questions? OPSEC war stories?

===== TITLE SLIDE =====

[> _class: story <]

## The tipline situation in 2013

(maybe skip this)

<div class="excerpt">

From: **Laura Poitras**

To: Micah Lee

Date: Thu, 9 May 2013

I’m working on something with **Glenn** and I really need to get him on a secure (preferably **Tails**) system. He does not have the technical skills to set this up himself, and I’m trying to keep things compartmentalized, so I don’t want to email him about this topic directly on a non-secure channel.

</div>