In January 2015, Benjamin Wittes described The Intercept staff as amateurs. "They are amateurs in a world of professionals." He had the foresight to predict a major slip that would result in the capture of a leaking source. About the same time, we spoke internally of the significant holes in their leaking plan "Become a Source," namely, the advice to leak from personal computers in public coffee houses. That an organization would recommend this indicates lack of basic understanding of end-point security behavior and common threats from state and private actors.
But the best approach we think is to de-personalize the Reality Winner arrest. Sure, the journalists working that story gravely erred -- as they have before -- and equally culpable are the editors who managed to publish online the NSA document complete with identifying marks. The greater worry long-term is that The Intercept and others of similar maturity work in a flawed subculture (See: Def Con) -- the bridge from computer security to operational security constructed out of well-meaning intent, but ultimately a combination of naivete, gullibility, and poor attention to detail. For example, the use of computer security "threat modeling" has no place in source operations, personal security, or physical security. This is like a first-year medical student walking in on a brain surgery to offer helpful advice.
Illustrating the subculture, a good analogy is to human tracking -- when state governments open search and rescue missions to volunteers. The volunteers are well-meaning, motivated, and driven toward success. But lacking the proper training and experience, often they do more harm than good. They destroy tracking signs, waste many hours on the wrong trails, and slow down the entire operation. Sometimes the volunteers get lost themselves and must be tracked. The Intercept appears to be a volunteer orienteering staff who lead would-be felons into quick sand. The particularly poor staff journalists and self-described "technologists" (whatever that may mean) should be blamed, but also the technologists' vocabularies and phrases in magazines and news, Twitter "OPSEC" digital operators, computer science blogs dealing in source operations, and the unrelenting worship of previous leaking sources. The short story is overzealous and panicky amateurs rushing with a sense of political revolutionary spirit, yet without having to be in danger. They just put the sources in danger, watching the marathon from the sidelines and in fact incapable of walking more than a few miles.
Going forward, the Reality Winner example should be noted as a failure of planning and preparation, but also a flaw in the leaking culture fomented by these soldiering websites. They serve in the War on Privacy and freedom of information battles, a noble path. But the environmental threats demand security mindset, security lifestyle, and observation skills gained during training and exercise. To do this, one must leave New York City and San Fransisco on occasion, walk the streets without a smartphone, and taste the air of non-permissive zones. Build up the baseline skillset, then when proficient add the "fearless, adversarial [insert cause]." Without more, we will expect detainment, arrest, and in some cases execution. Encouraging felony leaking and mishandling the source operations is a direct line to those consequences.