On 23/12/10 5:44 AM, Len Sassaman wrote:
2. Source protection. The site needs to provide a means for whistleblowers to contact the site operators, discuss issues, and submit documents in an anonymous manner. Wikileaks solves this with Tor, though there might be other ways. We need a clearly defined threat model to build against, and must keep in mind that usability is a security concern -- we have to assume that the whistleblowers are not geeks, and the site operators may not be, either.
If I think of the 3 whistleblower cases I'm mildly familiar with, there is no commonality between the source protection aspects. I think this might be something where whatever technical system you put in place, a wise whistleblower would not be keen to trust it. Given that the typical cost of being a whistleblower is probably minimum loss of income for years, and loss of liberty likely, it might be a really high target. If that view holds, it might be better kicked out of any technical design for a publishing system.
3. Censorship resistance. If 2. brings to mind Tor, 3. brings to mind the Eternity Service. In this model, the publisher does not need to be anonymous, but the data needs to be authenticated and the service distributed. The CouchDB-based mirrors of the Afghanistan War Diaries provide a promising first-attempt; to be successful, these sites need to be able to leverage jurisdictional arbitrage and distributed hosting to resist network denial of service attacks and legal attacks aimed at taking their sites offline, as well as data corruption attacks aimed at invalidating the material by attacking its credibility with the introduction of false documents, etc.
3.a. would be a way for third-parties to obtain the material provided by these services in an anonymous fashion; I see this as lower priority than the other issues, but still something to think about.
OTOH, If you wanted to make source protection strong *and* technical (e.g., uploading), then you might want to make it the same system for both uploading and downloading. Hiding the source in a crowd of downloaders is one benefit, and making the download protection high profile may help to make the overall source/sink protection better. 4. Gatekeeper role. It would seem that any pure technical system could be flooded by junk. Typically a team is needed to analyse, filter, edit and approve.
My goal here is to develop a formal, realistic model for the operation of a legitimate journalistic whistle-blower material clearinghouse. I'm basically proposing we replicate in public, with peer-review, the process I assume Wikileaks itself has undergone for the design of their system. Let's identify the likely attacks and attack vectors for given adversaries, compose a solution based on available technology, and assemble it in as easily deployable a manner as possible.
Who else is interested? Let's get this discussion rolling.
Some thoughts! iang _______________________________________________ p2p-hackers mailing list p2p-hackers@lists.zooko.com http://lists.zooko.com/mailman/listinfo/p2p-hackers ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE