The back door

How a hacker helped ProPublica expose Russia's secret infusion of cash to the embattled Syrian government
June 30, 2014

Aid for Assad Documents showed a secret flight had ferried cash from Russia to Syrian. A shipment of attack helicopters failed to get in. (Bryan Denton / Corbis)

In November 2012, the investigative news site ProPublica published a two-part story that added an important new dimension to coverage of the civil war in Syria. It was based on documents that showed a Syrian plane had secretly flown to Moscow and returned loaded with supplies to boost the ailing Assad regime. This wasn’t humanitarian aid. It was more than 200 tons of bank notes shipped into Syria while the military fought off rebels and a deteriorating economy. Shipments of attack helicopters had apparently failed to get in, but the stories confirmed that Russian support for the Assad regime went deeper than had been publicly acknowledged.

This is the story of how ProPublica got those flight manifests, and it offers a glimpse into the complicated world of secure international reporting in the digital age.

It began in July 2012, when I was contacted via the internet by someone who got my name from a friend in the digital activism community. The person referred to himself as a “he,” though in this community people often switch genders for security. And my contact was strict in his desire for security. Our initial exchange was over a public chat, but after that we communicated almost exclusively over secure channels.

He contacted me via IRC, or Internet Relay Chat, a group-chat protocol that allows people to interact on a remote server. People adopt nicknames, which my source had as well, that can become alternative identities, carrying their own reputations and status in the digital realm, and becoming as important to people as their legal names. IRC has been around for slightly less than 30 years and is still the favorite tool of developers, network administrators, and the more technically capable in international hacktivist groups like Anonymous. I was a regular in these chat groups, but my source was not willing to discuss what he wanted to talk to me about on the open internet.

I gave him my Jabber address: quinn@jabber.ccc.de. It looks like an email, but isn’t. It is a Jabber, or XMPP, server where I am registered as quinn. If you point your Jabber software at that address, it will connect with your XMPP server, which forwards the message to my server (jabber.ccc.de), which then forwards it to me. Jabber itself isn’t encrypted, but there’s a popular plug-in called OTR (Off The Record) Messaging that puts a layer of encryption into the instant messaging. This way, my source’s server and my server would know we were talking, and no one could see what we were saying.

The manifests didn’t just show odd cargo, but an odd flight path that dodged around Turkey.

Sign up for CJR's daily email

He told me he had documents he was interested in getting to the press, and wanted my help. Many people in the communities I work with knew that I had brokered such deals before. I couldn’t deal with large document sets myself, but the newsrooms that can typically don’t have my connections or knowledge of secure communications. Even so, these data deals were mostly unsuccessful. Often what a source leaked to me wasn’t newsworthy, and sometimes when it was, trying to hand large data sets to a news organization fails to produce any worthwhile results. I didn’t have high expectations. But what my source told me next astounded me: He had backdoor access to the mail servers at four Syrian embassies. And it was ongoing access, not just a one-time email dump.

A backdoor meant that without the Syrians knowing it, he was quietly taking a copy of every email they sent or received. He gave me a sample of the data to prove his claim. He had encrypted an archive of the emails, given the file an innocuous name, and uploaded it to a free file-sharing site. The files were now on the public internet, but because they were encrypted, that was okay. Without the password we’d shared over our encrypted chat, no one could do anything with the scrambled text.

My source practiced careful operational security, or opsec. When he connected to servers, whether for the Syrian emails or for our chats, he did so over Toran open-source private network that hides the user’s IP address. No one could locate where he was coming from. As the known party in this exchange, I didn’t need to use Tor. My name was likely to be on an article eventually. Had I needed to hide that my source was talking to a journalist, Tor would have been my method of choice.

I got the file from the public site and decrypted it. Offline, I looked through some of the emails. Everything was solid; he had what he said he had. I didn’t know how close my source was to the Syrian government, or how much danger he was in. Over the coming months, my source and I would chat often over Jabber. We got to know each other, but always had to be wary. Saying too much could have put him in danger if either of our computers was being combed in the same way he was snooping on the embassy servers. I was very careful with the files; I never looked at them while online, or opened PDFs on my own computer. It was possible that something in the documents could be booby-trapped to “phone home” and tell the Syrians I had them.

I needed a journalism partner that understood both security concerns and how to handle data. I decided to approach ProPublica. I’d visited their offices in New York several times and was always impressed with their data and applications team, known internally as the “nerd cube.” I wrote Scott Klein, the head of the team who was also a friend, and asked if I could drop by to discuss something.

Soon I was in their offices telling Scott I had access to Syrian government mail servers. He looked thoughtful, and then stopped me. He asked two other members of his team, Jeff Larson and Dafna Linzer (now with MSNBC), to join us, then had me explain in more detail. They told me they were interested and asked me to come back the next week to talk about it again. I told my source later that day that I was talking to ProPublica.

The next meeting wasn’t what I was expecting. I arrived with a backpack over my shoulder and wearing casual clothes, tired from a long night of trying to get back to New York after a family weekend away. It wasn’t just Scott and Jeff and Dafna this time. The table was packed: buttondown shirts with ties, some gray at the temples. I helped myself to a cup of coffee and a moment of nervous panic, then sat down and explained the pattern that had developed between my source and me. I talked with him by secure means; he gave me encrypted files; I added them to my growing archive of Syrian diplomatic emails. I needed the people at that table to understand how serious the matter of security was. My source’s safety was my first priority. But it was also important that neither ProPublica nor I do anything that could cause my source to lose his access, which meant no one could risk looking at the files on an internet-connected computer.

Then I told them which embassies we had access to, and we all noted that Russia wasn’t on the list. Could there be more backdoors? Could one be the Russian embassy? I said that to ask my source about the Russian embassy would have been tantamount to asking him to commit a crime in order to get a story. It risked crossing a line from attentive journalism to potential computer fraud. Everyone agreed immediately; it didn’t even need to be said. I’ve never committed a felony to get a story, and I don’t intend to.

I told them that I hoped we could use some data tools like Overview or automatic translation software to find something significant in the emails. I wanted to push newsrooms like ProPublica not only toward better security, but also toward better tools for handing the kind of difficult datasets I come across in work with various types of leakers. Everyone understood. The files would never cross the net unencrypted. The work with the files would be done on an “air-gapped,” or offline, computer. We wouldn’t reveal the whole set, and I would get to see any documents that were to be made public, to deal with the possibility that a watermark of some kind could reveal the whole scheme. They agreed to everything. I told them I couldn’t promise we’d even find anything newsworthy, but they already knew that. Most everyone in that room had more news experience than I had. It may have been their first ongoing hack, but it wasn’t their first sensitive investigative story.

There was a pause. I realized that I was satisfied; I believed they would do a good job with the material, that this was the best chance I had to both keep my source safe and get a strong news story. “Well,” I said, “does anyone have a thumb drive?”

Everyone seemed startled. The files were with me. I’d been walking around Manhattan with Syrian diplomatic emails in my backpack. Jeff Larson dashed to his desk and pulled out a drive still in its package, cut it open, and handed it to me. I transferred the files I had onto the drive, plus six other media files. “When I transfer new files to you,” I told them, “the password on the encryption will be the hash of one of these files. So I will give you the file, and a number between one and six.”

A “hash,” one of the great tools of computing, is a set of mathematical steps. Say I was “hashing” with a pen and paper and my hash steps were: Add 23, multiply by two, and only use the first two numbers. The hash of one would be 48, the hash of two would be 50, the hash of 1,337 would be 27, and so on. The hashes computers use are much more complicated, and figuring out what file was used originally can be nearly impossible.

When using a “hashing algorithm,” you get the same output back each time you put it in. (It’s important to remember that for a computer, a file is only a series of numbers.) But if you change anything about a file–even a single bit–you get a very different number back. So hashes can be used to prove that something is what it’s supposed to be.

As such, hashing is used for verification all over the network. Instead of saving passwords, saving hashes lets you verify someone without ever having to know their password. The hashes of the media files I’d given Jeff would make long, impossible-to-crack passwords that we could get easily just by checking the hashes on the file we shared.

With the first batch of files delivered to ProPublica, I left New York. Every two to four weeks, depending on our schedules, my source and I chatted on jabber and he’d give me a link to an encrypted file on a public site. We used three or four different sites, whatever our fancy. We would prearrange a password in encrypted chat, I would download the encrypted file, decrypt it, and check the hash. My source would confirm that the hashes of my copy and his matched. I would re-encrypt the file and make the password the hash of one of the six shared files. Then I would look for Scott or Jeff on Skype.

Skype isn’t secure, but it didn’t need to be. For us, transferring files over Skype was an easier version of the public-site transfer my source and I were using. I would usually say little more than “Hi,” sometimes the date range of the drop, and the number between 1 and 6 that denoted the files I’d used to generate the password.

When Scott and Jeff received the file, they decrypted it and usually passed me the hash over another encrypted jabber chat. I compared that to the first hash I’d exchanged with my source, and that way we knew the file was identical all along the process. We didn’t do this every time. It would have been nearly impossible for someone to have disrupted the process and still have the files decrypt and decompress properly. But it was nice to be so sure.

After getting the files, ProPublica put them in an older computer that wasn’t connected to the network. In fact, it had no purpose other than to hold these files. This prevented any malware that might have been in the drops from either alerting the Syrians or harming anything on ProPublica’s network.

Data journalism is difficult under the best of circumstances, and this wasn’t anywhere near the best. The data was unstructured, in Arabic, full of documents and attachments, images, and casual conversations. Scott told me they gave up quickly on the concept of machine translation, because it just wasn’t working. Instead, they hired a Syrian-Arabic speaker part time to read the documents.

We went on like this for a while. I would pass files along and ask how the investigation into them was going. My contacts at ProPublica would say their translator hadn’t found anything newsworthy yet. Many of the emails were news clippings, usually stories that backed up the government’s line. There were emails about where people went and what they bought. Interesting, but not newsworthy. I passed the news, or lack thereof, back to my source.

We all were frustrated. None of us knew if the translator was missing something, or if there just wasn’t anything with news value in the data. It would be a disappointment after all this, but it was a contemporary data problem. An anonymous source plus a mass of documents can often equal disillusionment. Access to a trove of files meant all the difficulty of protecting a traditional whistleblower with none of the assurance or clarity of dealing with material selected by a knowledgeable insider.

This went on until Jeff began poking around in the documents himself. He noticed some flight manifests in email attachments that were in English. The cargo listed on some of the manifests caught his eye: the bank notes, the helicopters. These documents became the foundation of the story. The manifests didn’t just show odd cargo, but an odd flight path–a twisted route that dodged around Turkey, a NATO member state, greatly lengthening the flight time. With this triggering document, ProPublica swung into action, investigating the story with the gusto that is critical no matter how good the initial documents are. They interviewed officials and experts, and even used plane spotters–the enthusiasts who chronicle the tail numbers on aircraft as they land and take off–to verify the flights for which we had manifests. All the while I kept getting files from my source and passing them on, keeping him apprised of the story’s progress.

Finally, Scott told me they were ready to publish. I asked for an “assisted with” credit line, but not a byline. ProPublica had done the real work.

In the final hours before the story went up, the ProPublica editors sent the manifests to the Syrian government for comment. It was the only security fumble they made. Months before, in the original meeting, I’d said I wanted a chance to examine any documents before they went out so I could look for a watermark, or figure out how to obscure their origin. They’d just forgotten. In that stream of security concerns, it was easy to overlook a small detail.

I found my source online and told him about the manifests, but he’d already figured out that something had happened. His access to the embassy documents was presumably discovered and the backdoors were closed within two hours of the manifests being given to the Syrians.

The next few weeks were tense. The Syrians closed the holes, but would they come after my source? Had he made a mistake, left some forensic evidence? Would the Syrian government care enough to pursue him if he did?

My worries reinforced what I knew already: Operational security and data journalism are just plain hard. But they are the realities of accountability journalism today. Not just the accountability that journalists bring to those in power, but the responsibility journalists have to their subjects, their readers, and especially their sources.

The stories themselves did well, and they touched off a cycle of coverage on the level of Russian support for the Assad regime. I checked in daily with my source, who wasn’t as nervous as I was. He had never connected to anything without Tor, and he had been meticulous about how and where his programs to collect the data had run. Nearly two years later, I am still in touch with him, and he still sees no signs that the Syrian government is on his trail. But, as it turns out, he wasn’t the only one who penetrated those servers. There’d been at least one more person involved, someone my source only talked to twice. That person had done some of the technical work to compromise the servers, but had vanished before I got involved. I may never know if that person (or people, if it was more than one) is safe. Or if they were happy with what we accomplished with their work. I hope they were. 

Quinn Norton writes about science, robotics, hackers, copyright law, body modification, and medicine. Her work has appeared in Wired, The Atlantic, Maximum PC, and other publications.