* Use a Linux live CD on the "burner laptop" -- don't trust the preinstalled OS
* Change the MAC address of the Wifi used to connect at the internet cafe
* Use Tor, most easily via the Vidalia browser bundle
The author also does not mention that leaking documents can expose the whistleblower via watermarking and user information embedded in the file (most infamously in MS Word documents with versioning).
Edit: update formatting
Tails is a Linux distribution aimed at privacy and anonymity.
Or parking up and walking past the bank next to the coffeeshop a few more minutes before entering the coffeeshop?
You have to be even more paranoid if you are on a short list of people with access to the information - they will pull up all of your movements, possibly check traffic cameras for your care movements, etc.
Long range Wi Fi just makes so much more sense.
Hell, even have it transcribed by a typist. Full air-gap. This whole leaking business needs to be turned into an SEO optimized translated wiki page.
Buy a stack of envelopes from a supermarket. Buy a stack of stamps. Buy a USB. Acquire all with cash. Transfer all files to the USB via live CD - make sure all meta-data is stripped and files are redacted to avoid fingering you. Handle the envelopes/stamps/USB with care - gloves + hairnets + have a shower before handling (skin cells). Print the addresses (be careful here - printers sometimes put identifying marks - get the most common inkjet that doesn't use dots). Print a message and stick it in the envelope - e.g. "USB contains leaked NSA documents on massive domestic spying. Copy files to your computer then destroy and dump USB then burn the envelope to ensure your own security." Put the stamp on. Drop the letter in the mailbox - try and get a journalist's home address, they'll read it.
Repeat for multi-journalist dump.
Make sure you don't lick the stamps and drop the letters off in physically separated postboxes without security cameras.
You do not want to be in constant communication with journalists/people whilst doing any of this, because the more you talk with them, the more you leak. You want to just strip all identifying data, dump your leak, and run. This tactic has been used for ages to transfer sensitive data, most notably by kidnappers (ransom notes), spies (easy data transfer), whistle blowers (documents) and serial killers (think Ted Kaczynski).
Printer steganography is usually limited to color laser printers and high-end inkjets. Buying a common one unfortunately won't help you. Included in the codes that have been cracked is the serial number of the printer as well as a date and time stamp of the printout.
Printers are pretty cheap these days, and it seems that in order for any of the markings to be useful they would have to find the printer in question in your possession/prove it was your printer.
However, if the documents are uniquely identifying and of incredible importance then you will want to go public, and you will want to go loud; have your face plastered everywhere, documents in every conceivable location, send them to thousands of journalists via email, scream your identity to the roof tops, don't go to ground, go to press conferences, and leave the country if at all possible before you do go loud.
Pretty hard to trace an anonymous letter.
EDIT: Just spotted the update. Question answered.
"Feds: Postal Service photographs every piece of mail it processes"
http://www.thesmokinggun.com/documents/woman-arrested-for-ob...
DO NOT DO THIS! Every printer leaves a microscopic fingerprint on every printout. The printouts can be traced back to your printer. If it's an office printer, that still narrows it down considerably.
Even electronic documents can have watermarks, etc. For photographs, there's the EXIF information, for instance. If you want to share a photo, pipe it through "djpeg | pnmscale 0.99 | cjpeg -quality 90" first. It will get rid of EXIF, and also re-compress the image, changing its signature.
But I think there are still ways to workaround this. You could print the doc in an internet cafe, or buy a cheap printer and then destroy it, or print it and then take a low quality photocopy. You could even write it by hand or on a typewriter.
Your best bet is large flea markets, where you can buy stuff like WiFi dongles, etc. with cash. Then wait a while before you use them.
I can't believe I'm having to write this, either. This is like giving instructions to a Soviet activist in the Cold War days, but ironically it is in my own country. How did we fall so far?
Have somebody else buy it with cash only. Surveillance cameras catching you with a printer and then not able to explain where it went will not go well.
I can't believe I actually am saying this. I truly can't believe that we are all having these kinds of conversations about something that should be as trivial as telling the truth. This is the kind of stuff I imagine the Russian mob would do, not employees of the US government who have a conscious. It is truly despicable and makes me a bit nauseated. The worse part is there doesn't seem like a fix and there doesn't seem like there is anywhere else to go to avoid this.
This is silly on a "behind 7 proxies" level. Just go the library. If you're worried that investigators are going to swoop down CSI style to track you down because of your important secrets, maybe you should speak to a psychiatrist.
On the flip side, if you are already are under suspicion, then all your efforts to anonymize a leak are in vain. You'll be the first person interrogated after a leak, and if your beliefs about the Orwellian nature of the government are true, the $10 hammer to the kneecaps (thanks XKCD) will undo any clever hiding you did.
I just don't think it makes much sense to go to these lengths. It's already understood that governments are corrupt. Are the specifics of what secrets you want to publicize worth the personal risk? If no, then you're playing spy, which is fine. If yes, then they'll probably find you if they really put their heart into it.
e.g New Yorker has one, called Strongbox - http://www.newyorker.com/online/blogs/closeread/2013/05/intr... - powered by Tor, designed by Aaron Swartz and others, and open-sourced as DeadDrop http://deaddrop.github.io/
In many cases when creating a new gmail account, you have to provide a phone number for an automatic text verification code.
I wonder what triggers it, maybe if a lot of different Google Accounts log in from that single IP, it assumes it's some open coffeeshop wifi or similar?
No, get a burka (the muslim body clothing that hides the entire body) -- not only will people want to avoid you, but they wouldn't even be able to write in the description what sex you are (and with a little bonus they might assume it is not a disquise in which case they are truly looking in the wrong direction).
So the burner phone may not be the best route.
The warrant comment suddenly sounds old-fashioned.
Also, be aware of cameras near the internet cafes or places you intend to use the burner phone.
Your trail-covering only needs to be better than the investigation capability of those who are investigating your leak.
