Journalism strikes back
December 12, 2013  

I’ve been feeling bad for journalists like Bart Gellman who now have to defend their computer systems against the NSA.

Since publishing stories on the NSA surveillance programs, Gellman has stepped up his personal privacy efforts significantly, through “layered defenses” including “locked rooms, safes, and air-gapped computers that never have and never will touch the ‘Net,” he said. The extra steps are “a giant tax on my time,” Gellman added.

This makes journalists just about the only people who are using defenses like air gaps, which are recommended by people like Bruce Schneier, who nevertheless does not really use them himself:

I don’t have any of the Snowden documents with me, so I haven’t made much use of the airgap computer.

That’s why it’s great to see journalists turn the tables on the powerful. IDG reports that journalists used a security weakness to identify “politicians and other public figures for allegedly making highly offensive comments on right-wing websites”:

The Swedish daily Expressen, working with an investigative journalism group, said it uncovered the identity of hundreds of people who left offensive comments at four right-wing websites through their email addresses. It then confronted the authors of the comments, many of whom freely admitted to writing them.

Disqus used a third-party service called Gravatar from Automattic, the company behind the WordPress software. Users can upload an avatar, which will then appear on any Gravatar-enabled website.

A Disqus API (application programming interface) fetched avatars from Gravatar using the hashed email addresses of registered users. A hash is a cryptographic representation of a value processed by an algorithm.

For example, the email address “idg@idgnews.com” when processed by the MD5 algorithm appears as this hash: “0ff3eeab2b765f017a526bbddd328c3b.”

The journalists likely collected the nicknames of commentators from the websites, then pinged Disqus’ API to see what MD5 value was returned.

(Hat tip: Ars Technica.)