Hi Len, I think that it's worth re-emphasising what you say in your second point: an idea like this is not going to succeed if it relies too heavily on solving the fun technical problems. Creating a theoretically nice leak submission/distribution system is definitely fun work, and I'd love to come and play, but if it were to be truly applicable then there is probably going to have to be serious compromise made in the security/usability stakes. (On that point: does Wikileaks' submission system rely on a Tor hidden service, or is there one running that you can use if you jump through the right hoops?) A website seems necessarily the right model for access and submissions, or at least for kicking off a submissions process. Computer = Internet = web (and maybe email) for most people, and breaking that assumption is counterproductive. No-one reading non-existent submissions isn't the goal. A threat model for source protection is surely going to be sender anonymity against the standard global passive attacker. How you bootstrap that from a "click here to submit" button will be interesting. As you point out, though, we aren't seeing a great deal of technical attacks against source anonymity. While it's definitely a real threat, I'd say it's lower on the list of priorities than the availability problems. I think the more interesting problem, then, is in your third set of points. The major issue seems to be distributed hosting, again accessed without requiring users to jump through technical hoops. It seems to me that the most significant problems that Wikileaks has had has been the result of the DNS system allowing the pointer to the information to be removed while the information remains. (Especially when you throw BitTorrent into the mix.) At the same time, people rarely type in an actual URL (see, for example, http://rww.to/a4egy9 ). The real-world net censorship we see is akin to censoring a library by burning the catalogue. The critical Eternity Service (and Freenet) issue of hosts being ignorant of the data that they carry will be important in resisting more legal attacks. Corruption of the leaks via injection of false documents seems an orthogonal problem, and I'm not sure how you'd automate that. Anonymous access to the data seems to fit very neatly into Tor's use-case, with the assumption that you mainly want a web interface. For large chunks of data you might want something able to handle that kind of load, and could probably tolerate higher latencies, but again you'd probably want to start looking at building on a BitTorrent-style approach. There are a lot more fun issues here, but I should sleep before I start writing total gibberish. Joss _______________________________________________ p2p-hackers mailing list p2p-hackers@lists.zooko.com http://lists.zooko.com/mailman/listinfo/p2p-hackers ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE