Opsec, Snowden style

Micah Lee, the former EFF staffer whom Edward Snowden reached out to in order to establish secure connections to Glenn Greenwald and Laura Poitras, shares the methodology he and Snowden employed to stay secure and secret in the face of overwhelming risk and scrutiny.

But the internet is a hall of mirrors. Even though Snowden and Poitras had set up new anonymous email accounts and traded GPG keys through a trusted chain of communication, it’s still possible that something could have gone wrong. Maybe one end of the communication (either Snowden or Poitras) could have had their computer hacked, with the attacker in a position to impersonate them. Or maybe they could be victim to a man-in-the-middle attack where, for example, the NSA tricks two parties who think they’re having an encrypted conversation directly with each other into secretly having two separate encrypted conversations with the attacker, who forwards their messages along.

To be extra sure that these things weren’t happening, Snowden wanted to verify through a separate channel that he had Laura’s legitimate key. He asked Poitras to get me to tweet the fingerprint of her new GPG key.

Just a tiny bit of background: encryption keys are technically just strings of random data that scramble and unscramble information. Because these keys are too long to memorize or conveniently post on bios or put on business cards, each one has a far shorter “fingerprint” that is unique to the key. These fingerprints are just 40 characters long. To verify the new key that Poitras had sent him, Snowden needed to receive her new fingerprint from me and then compare it to the one he was using.

Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You. [Micah Lee/The Intercept]