Threat Model For Source Communicating With Journalist

Sources communicating with journalists must assume potential state-level compromise including OS-level exploits, network-level interception, and zero-day vulnerabilities; therefore use Tails Linux booted from USB for all sensitive communications, SecureDrop for anonymous document submission, Signal for messaging if using personal devices, and Tor for any internet access. Use a separate device unconnected to your identity, remove all metadata from documents using Mat2 or ExifTool, and establish out-of-band communication channels for verifying journalist identity. This guide provides a practical threat modeling framework covering adversary types, attack vectors, layered defenses, and operational discipline required for source-journalist relationships.

Understanding the Threat ecosystem

Sources communicating with journalists encounter adversaries with significant resources. Understanding who might attempt to compromise your communication determines which defenses matter most.

Primary Threat Actors

State-level adversaries possess capabilities that can compromise operating systems, intercept network traffic at infrastructure points, and deploy zero-day exploits. If you face this threat level, assume that any device connected to the internet may be compromised.

Corporate entities may use legal pressure, technical surveillance, or social engineering to identify sources. They often work through legal discovery, NSL letters, or direct technical compromise of devices.

Local adversaries include anyone who might benefit from identifying you as a source—employers, family members, or local authorities. Their capabilities vary widely but should not be underestimated.

Attack Vectors to Consider

Your threat model must account for multiple attack surfaces:

Device compromise: Malware, firmware attacks, or physical access to your devices
Network surveillance: ISP-level logging, WiFi interception, or traffic analysis
Metadata leakage: Communication patterns, timestamps, and contact associations
Operational security failures: Behavioral patterns, digital traces, or social engineering
Legal pressure: Subpoenas, warrants, or mandatory data retention

Building Your Defensive Architecture

Device Selection and Isolation

The foundation of secure source communication starts with dedicated devices that never touch your normal digital life.

Consider using a dedicated laptop or mobile device purchased with cash, never associated with your identity. This device should have:

Full disk encryption enabled
No cloud sync services
Separate, isolated accounts
Regular security updates applied manually

For maximum protection, use an air-gapped machine for the most sensitive communications, transferring messages via encrypted USB drives using a procedure like this:

# Verify USB drive integrity before use
sudo cryptsetup luksFormat /dev/sdX
# Create encrypted container
sudo cryptsetup luksOpen /dev/sdX secure_container
sudo mkfs.ext4 /dev/mapper/secure_container
# Mount and use for file transfer
sudo mount /dev/mapper/secure_container /mnt/secure/

Communication Channel Selection

Choose communication channels based on your threat model:

Secure messaging apps like Signal provide excellent forward secrecy and end-to-end encryption. However, they require phone number registration and store contact information on devices. Use a burner phone number registered with cash for maximum privacy.

Email with PGP encryption offers asynchronous communication without phone number requirements. The learning curve is higher, but metadata exposure is reduced:

# Example PGP encryption workflow using python-gnupg
from gnupg import GPG

gpg = GPG(gnupghome='/path/to/gpg/home')

# Encrypt message for journalist's public key
public_key_data = open('journalist_pubkey.asc').read()
gpg.import_keys(public_key_data)

encrypted = gpg.encrypt(
    "Your message here",
    recipients=['journalist@example.com'],
    always_trust=True
)

print(str(encrypted))

Secure drop systems like SecureDrop provide institutionalized protection, but require institutional setup and trust in the organization’s infrastructure.

Network Operational Security

Your network connection reveals significant information about your communication patterns.

Tor browser provides anonymity by routing traffic through multiple relays, obscuring your IP address and preventing simple traffic analysis:

# Verify Tor is working correctly
# Check your IP appears different
curl -s https://check.torproject.org/api/ip

Use Tor for all sensitive communications. Avoid logging into personal accounts or revealing identifying information while using Tor. Consider using Tor in a TAILS live operating system for added protection.

Metadata Protection

Even with encrypted communications, metadata can reveal your network:

Metadata Type	Risk Level	Mitigation
Timestamps	Medium	Use asynchronous communication
IP Addresses	High	Always use Tor
Contact Lists	High	Keep minimal, use encryption
Message Length	Low	Padding can help
Communication Frequency	Medium	Vary communication patterns

Operational Security Practices

Identity Separation

Maintain strict separation between your source identity and normal digital presence:

Separate devices: Never use your source device for personal activities
Separate identities: Create entirely new email addresses, phone numbers, and accounts
Separate locations: Access sensitive communications from unexpected locations when possible
Separate behaviors: Your browsing patterns, typing speed, and timing can fingerprint you

Communication Discipline

Establish protocols that minimize risk:

Pre-agreed security words: Establish codes for urgent situations
Scheduled check-ins: Agree on regular communication windows
Dead drop protocols: Establish fallback methods if primary channels fail
Automatic message deletion: Configure messages to delete after reading

Physical Security

Digital security means nothing without physical security:

Use screen filters to prevent shoulder surfing
Access sensitive communications in private locations
Never leave devices unlocked or unattended
Consider faraday bags for storing sensitive devices

Recovery and Incident Response

If You Suspect Compromise

Have a pre-planned response:

Immediately stop using compromised devices for sensitive communication
Power down devices—do not reboot, as startup may trigger evidence destruction
Preserve evidence: If safe, image the device before any cleanup
Switch to backup channels using pre-established protocols
Notify your journalist through a secure fallback method

Backup Communication Plans

Always maintain redundant communication methods:

Primary: Signal with burner number
Secondary: PGP-encrypted email through Tor
Tertiary: Encrypted dead drop using secure file hosting
Emergency: Physical dead drop with pre-arranged location

Technical Detection Vectors and Countermeasures

Sophisticated adversaries use multiple detection methods. Understanding each improves your defense:

# Attack vectors and countermeasures for source-journalist communication

class SourceThreatVectors:
    """Technical attacks that could identify sources"""

    vectors = {
        'timing_analysis': {
            'attack': 'Correlate message send times with publishing',
            'example': 'Editor receives leak, publishes article within hours',
            'defense': 'Use asynchronous communication with random delays'
        },
        'metadata_analysis': {
            'attack': 'EXIF data, document properties, timezone info',
            'example': 'PDF metadata shows "Edited by John Smith"',
            'defense': 'Strip all metadata using Mat2, convert to plain text'
        },
        'linguistic_fingerprinting': {
            'attack': 'Writing style analysis identifies source',
            'example': 'Unusual phrases, grammar patterns match employee',
            'defense': 'Rewrite documents in neutral tone, break up distinctive phrasing'
        },
        'location_correlation': {
            'attack': 'IP address, cell tower data, WiFi SSID fingerprinting',
            'example': 'Source connects from office building where story originated',
            'defense': 'Use Tor for all communications, access from public WiFi'
        },
        'endpoint_compromise': {
            'attack': 'Malware captures messages before encryption',
            'example': 'Keylogger records communication on personal device',
            'defense': 'Use dedicated device for source communications only'
        },
        'supply_chain_attack': {
            'attack': 'Compromise encryption tools themselves',
            'example': 'Signal backdoor allows NSA decryption',
            'defense': 'Use open-source tools audited by security researchers'
        }
    }

    @staticmethod
    def detect_timing_correlation():
        """Detect if your message timing is visible"""
        import time
        import random

        # Random delay before sending (5-30 minutes)
        delay = random.randint(300, 1800)
        print(f"Delaying message by {delay} seconds to break correlation")
        time.sleep(delay)

        # Send at randomized interval
        message_queue = []
        return message_queue

    @staticmethod
    def strip_document_metadata(filepath: str) -> str:
        """Remove all metadata before sharing"""
        import subprocess

        # Using mat2 (Metadata Anonymization Toolkit v2)
        result = subprocess.run(
            ['mat2', '--inplace', '--remove-all', filepath],
            capture_output=True
        )

        if result.returncode == 0:
            print(f"Metadata stripped from {filepath}")
        return filepath

    @staticmethod
    def detect_linguistic_patterns(text: str) -> dict:
        """Analyze writing style for fingerprinting risk"""
        metrics = {
            'avg_word_length': sum(len(w) for w in text.split()) / len(text.split()),
            'unique_words': len(set(text.split())),
            'sentence_variety': len(set(s.split() for s in text.split('.'))),
            'distinctive_phrases': []
        }

        # Identify high-risk distinctive phrases
        distinctive = ['leverage', 'synergy', 'circle back', 'deep dive']
        for phrase in distinctive:
            if phrase in text.lower():
                metrics['distinctive_phrases'].append(phrase)

        return metrics

Operational Security Discipline

Technical tools fail without operational discipline:

#!/bin/bash
# Source operational security checklist

echo "=== SOURCE COMMUNICATION OPSEC ==="

# 1. DEVICE PREPARATION
echo "1. Device isolation check"
# Verify device is air-gapped or isolated
if [ -f ~/.ssh/config ]; then
    echo "  WARNING: SSH config detected - may indicate identity linkage"
fi
if pgrep -l dropbox > /dev/null; then
    echo "  ERROR: Cloud sync running - must disable"
    killall dropbox
fi

# 2. NETWORK VERIFICATION
echo "2. Network identity verification"
# Verify Tor is working
curl -s https://check.torproject.org/api/ip | jq '.IsTor'
# Should return: true

# 3. COMMUNICATION PREPARATION
echo "3. Document preparation"
# Strip metadata from documents
find . -name "*.pdf" -o -name "*.docx" | while read file; do
    mat2 --inplace "$file"
    echo "  Stripped: $file"
done

# 4. PRE-COMMUNICATION VERIFICATION
echo "4. Verify journalist identity before first contact"
# Check PGP key fingerprint through multiple sources
# - Published on website
# - In WhatsApp about section
# - On Twitter verified check
# If all three match, likely legitimate

# 5. POST-COMMUNICATION CLEANUP
echo "5. Communication cleanup"
# Clear all traces
history -c
sudo shred -vfz -n 5 ~/.bash_history
pkill -f signal  # Kill Signal process
# Unplug USB device, reboot

echo "=== OPSEC COMPLETE ==="

Detecting Investigative Surveillance

If authorities or adversaries are investigating you:

# Warning signs of active investigation

warning_signs = {
    'social_engineering': [
        'Unexpected contact from unknown reporter',
        'Sudden interest in your daily routine',
        'People claiming to know your personal details',
        'Offers that seem too good to be true'
    ],
    'technical_indicators': [
        'Messages failing to send, then succeeding',
        'Unexpected battery drain',
        'Device running hot without apps open',
        'Network connections during sleep',
        'SIM card requiring authentication'
    ],
    'physical_surveillance': [
        'Same vehicle parked near home repeatedly',
        'Unfamiliar people in area watching',
        'Broken car window/lock tampering signs',
        'Mail appearing opened or displaced'
    ],
    'operational_failure': [
        'Story publishes before you intended',
        'Information that only you know becomes public',
        'Journalist contact information compromised',
        'Law enforcement asking questions about communications'
    ]
}

def respond_to_compromise():
    """If you suspect compromise"""
    steps = [
        '1. STOP all communication immediately',
        '2. Power down compromised device - do NOT reboot',
        '3. Contact journalist through new method established beforehand',
        '4. Preserve evidence of compromise if safe to do so',
        '5. Consider contacting attorney for legal advice',
        '6. Assess physical safety - move location if necessary',
        '7. Do NOT attempt to debug or "fix" compromised device'
    ]
    return steps

Built by theluckystrike — More at zovo.one