What’s The Difference Between Whistleblower & Leaker?

Whistleblower
Whistleblower

Americans who get labeled a “whistleblower” become a hero. Get labeled a “leaker” and you could get branded a traitor and end up in jail. What’s the difference? It all depends on the status of information shared and the channels that the information travels through to become public.

Whistleblower Protections: In essence, a whistleblower is a leaker of information that certain parties would have preferred to remain secret. To encourage people to come forward with information out of concern for public safety, there are U.S. statutes that protect whistleblowers. However, there is a fine line between being a protected whistleblower or a criminal leaker.

Status Of Information: Any American citizen can disclose corporate or government information so long as it is not federally classified information or disclosures prohibited by the Uniform Trade Secrets Act.

  • Trade Secrets: A patented product or process is one tangible example of a trade secret. Patent information is protected for 17 years. But companies and individuals enjoy protection of certain trade related information other than what is covered by a patent. However a trade secret is specifically defined, it enjoys legal protection.
  • Federal Information: There are generally three categories of federally classified material: sensitive, secret and confidential. Category is determined by who might be harmed if the information went public. However, material must be de-classified after it ages past the 25-year mark unless it meets a narrow exemption, such as designs for nuclear weapons.
Whistleblower

Lifting The Veil: But what if it is in the best interest of the public that legally protected secrets be revealed? The difference between a whistleblower and a leaker is defined in the key decision on how to go about lifting the veil. To enjoy legal protection, a whistleblower must go through proper channels to bring the information to light. A leaker goes straight to the public. A whistleblower is legally protected from prosecution via the Whistleblower Protection Enhancement Act of 2012. A leaker doesn’t have the same protection. That is why leakers often exercise their freedom of speech in ways that protect their anonymity.

Information might be leaked anonymously to a news agency or journalist. Leaking directly to the public through the Internet is also popular. Platforms like OrangeWebsite are committed to supporting freedom of speech and make it easy to go public in a global forum.

Why Go Rogue? If there are legal protections in place that allow a concerned citizen to bring important information to the public’s attention, why risk legal trouble by becoming a leaker? There are usually three different circumstances that inspire a person to go rogue with classified information or trade secrets.

Whistleblower

1. Frustration: A person trying to serve public interest by first going through the proper channels may become frustrated if they experience stonewalling. The wheels of bureaucracy oftentimes churn quite slowly. A concerned citizen may have had every intention of being a protected whistleblower. They had a reasonable expectation of believing in “the system”. They wanted to put an end to improper corporate practices, abuse of authority or other circumstances they felt endangered the public or violated public trust. However, should they become anxious, awaiting results from their appropriate action of bringing attention to the matter within the proper channels, they might decide to go rogue. Especially if they believe that lives are at stake.

2. Money: Where trade secrets or military intelligence is concerned, the pay-out of a lifetime could become an irresistible temptation even for the most scrupulous concerned citizen. Enemies of the state and eagerly competitive entrepreneurs understand the value of such information. They are willing to pay to get their hands on what will surely be the information that will make their careers. The average citizen is no match for highly skilled negotiators tasked with securing sensitive information.

3. Political Motives: Although it is easy to ascribe political motives to many leaks that reveal embarrassing or compromising information about politicians, political motives can run much deeper. Sometimes there is real villainy attached to political motives behind a leak of classified information and trade secrets. Traditional politics can inspire a person to leak information that can endanger military and intelligence personnel. For countries engaged in wars, within the populace of their own country are those willing to do anything to resist and interfere in military action. But the definition of politics is more nuanced. Even a corporate environment has its own politics. A leaker of a trade secret could simply be a disgruntled employee seeking to sabotage an employer as a form of retribution.

Whistleblower

Where The Government Stands: Although it may seem that the U.S. government is always up to something nefarious, the truth is that agencies strenuously encourage blowing the whistle on misconduct or wrongful acts. There are hotlines provided, such as the Office of Inspector Generals (OIG). Presidential directives prohibit employer retaliation toward a whistleblower. The U.S. Occupational Safety and Health Administration (OSHA) has a whistleblower website. The Office of Special Counsel (OSC) is tasked with investigating and prosecuting allegations received from whistleblowers. By making it easy to communicate to federal officials about concerns, the government is signalling to concerned citizens that the State does, indeed, care about doing the right thing. But a whistleblower must be patient, understanding that the investigative process is tedious, lengthy and, by its very nature, quiet. It may seem like nothing is happening when the exact opposite is true.

The Risk Of Going Rogue: Should a whistleblower throw their hands up in the air, grow impatient and cross the line to become a leaker, they put themselves at risk for prosecution. Should a case be made against them, their motive will be the hinge upon which their case will turn. Even if a motive is concern for the public, but a whistleblower became impatient with the process, the mood of the country could still result in the full weight of the law coming down. In a national climate that is strained by war, hostile politics, and a number of public actors who became notorious leakers escaping justice, it could be that the federal government seeks to make an example of a leaker and any leaker will do. Even a leaker with noble intentions.

For more information on issues related to freedom of speech, security and online privacy, please contact us. That is our mission, to provide the world with a platform for the words they wish to share with the world.

The Increasing OAuth Phishing Threat

OAuth Phishing Threat
OAuth Phishing Threat

OAuth Phishing Threat

People are gradually growing more careful about phishing schemes that impersonate websites and ask for their passwords. But what if they don’t have to give a password to let an unauthorised party get at their data? That’s exactly what happened in a recent phishing campaign aimed at Google users. Hard numbers aren’t available on how many people were affected, but Google said the number was “fewer than 0.1% of Gmail users,” which could be as many as a million.

The Google Docs spoof

People received a message on their Gmail accounts, usually from an address they knew, asking them to open a “Google Doc.” If they did, it asked them to give Google Docs certain permissions, including permission to “read, send, delete, and manage your email.” No password confirmation was necessary, since the victim was already logged in. The only trouble was that the application wasn’t Google Docs but a malicious lookalike web app.

If the victim gave permission, the attacker could then use the account to send the same email to the victim’s contacts. This could have spread without limit if Google hadn’t promptly shut the application down.

The deception took advantage of design and implementation weaknesses in the widely used OAuth2 specification, which allows one Web application privileged access to another. Researchers had warned in 2011 that this kind of spoofing was possible, creating a proof-of-concept application. The 2017 attack may have drawn directly on that code.

What made the attack plausible

A combination of design issues with OAuth, social factors, and implementation choices by Google made the spoofing plausible to anyone without a strong understanding of security issues. The application was in fact hosted on Google, which lets users develop applications for public use. It was a reasonable imitation of Google Docs; the URL was wrong, but it was a Google URL. The mail came from trusted accounts.

The application was called “Google Docs.” Until very recently, Google didn’t prevent user applications from using its name. It still doesn’t provide any warning when an application making this type of request isn’t under Google’s control.

There’s no good reason Google Docs should ask for access to the user’s Gmail account, but people are used to wildly excessive requests for authorization. Websites that let your account connect to a LinkedIn account often ask for permission to post on your behalf. Most people apparently grant it without worrying.

OAuth Phishing Threat

The trouble with OAuth

The deeper problems, which aren’t restricted to Google, lie in the OAuth standard. It’s an authorization system which is weak on authentication. Without strong protections, it makes it easy to trick users into giving untrustworthy applications access to their private data.

In brief, OAuth2 lets a client application request permissions from a server. Only authorized applications can make requests. An application that’s allowed to use OAuth receives a client ID, which is public information, and a client secret (or key), which is confidential.

When the client app invites the user to give it permission, it redirects the user to a server URL. The server will inform the user of the request and give a choice of denying or allowing authorization. If the user allows it, the server redirects back to the client and sends an authorization code, which the client has to retain for as long as it wants to keep the permission. This could be just for a session or permanent. The server can limit its duration.

An obvious problem with this arrangement is that the server needs to trust a client over which it has no control. The client might be trustworthy at the time it gets permission, but a change of policy or a malware infection could change that. Theoretically, users should trust only applications in which they have very high confidence, but many people are far too trusting. The organization operating the server needs to carefully limit the clients it will give access to.

A poor implementation lets a client pretend to be a trusted application. The server has some control over this, since it knows what application is making the request, but it may or may not make it obvious to the user. If it just displays the application’s self-selected name, that’s weak protection.

Users who authorize a rogue application may not even realize there’s a problem. Google and other sites that use OAuth normally make a list of authorized applications available to the user and allow revocation, but it’s buried somewhere in the user settings.

Future risks

It’s a lucky thing that the Gmail attack apparently did little damage. One thing Google did right was to catch the rogue application and revoke its credentials within an hour. We can be sure others will try similar tricks, sometimes with services that don’t react so quickly. Any organization that uses OAuth to grant third-party applications access to its site should review its implementation and policy to make sure it isn’t vulnerable.

The most important precaution is to screen applicants for credentials carefully. A lot of users will give permission to any application that seems to do something useful, so it isn’t enough to trust them to exercise discretion.

Even if what an application currently does is legitimate, the applicant’s reputation needs to be good enough that it isn’t likely to misuse its authorization in the future. Clients should be periodically reviewed to make sure they still deserve trust. If there’s any sign they don’t, it’s important to follow up quickly and, if necessary, revoke authorization. Even an honest organization could have its credentials stolen or its code infected.

The organization should think carefully about what kinds of access it should authorize. The power to speak for the user can be used for fraudulent purposes. The power to read private data could allow theft of secrets. There needs to be a convincing case that the benefits from the application justify the risks.

Authorizing third-party applications can greatly increase the value of a service, but it carries serious responsibility. Anyone who implements it needs to be aware of its dangers and make choices that minimize the chances of abuse.

If you’re concerned with the security of your planned website, OrangeWebsite will provide hosting that will satisfy  your needs. Contact us to learn more.