[p2p-hackers] Whistle-blower site platform design

Len Sassaman Len.Sassaman at esat.kuleuven.be
Wed Dec 22 10:44:22 PST 2010 

Greetings, p2p-hacker folks,

This list seems to be the most direct spiritual successor to the 
cypherpunks list, which is where I'd want to raise this issue if it still 
existed.

As most of you are undoubtedly aware, the sudden surge in attention 
Wikileaks has gained in the last months have resulted in at least half a 
dozen imitation "leaks" sites -- from OpenLeaks, founded by former 
Wikileaks staff who have different ideas on how such a site should 
operate, to regional whistle-blower and transparency sites such as 
Brusselsleaks, Balkanleaks, Pirateleaks.cz, etc.

Let me first state I think that this is absolutely a good thing -- in 
principle. Relying on a single initiative such as Wikileaks both gives way 
too much power to the organization in question, and makes it a 
high-profile target. The rise of independant leak publishers decentralizes 
the fundamental service these sites provide, and brings attention back to 
the content of their publications rather than the personalities of the 
individuals involved.

It's also problematic for a number of reasons: firstly, reputation. Who is 
BrusselsLeaks? Why should a whistleblower trust that the operators of that 
site have his/her interests in mind? What's to say they're not an 
initiative of an intelligence agency? I'm not sure there's anything to be 
done about that, except wait and let these other players earn their own 
reputation capital.

However, it's painfully clear to me that a number of these sites don't 
have the first clue when it comes to technological measures they should be 
taking to protect their sources. E.g., BrusselsLeaks is running their 
operation with Wordpress and Hushmail -- hardly a hardened solution.

Wikileaks has had four years and the input of top network security 
experts, cryptographers, p2p-hackers, and cypherpunks, to create a system 
hardened against predictable threats. It's quite likely that had Bradley 
Manning not made the mistake of "confessing" to a government snitch posing 
as a journalist, he'd not be in jail today. Wikileaks, according to what I 
can gather from press reports and comments from people involved, as well 
as examining their site, relies on a Tor Hidden Service setup for 
receiving submissions. That alone is hardly enough to protect the site 
from attacks on the anonymity of its sources, the integrity and security 
of its site, or its network presense, but already requires a level of 
technical sophistication that is lacking in most of these "copy-cat" 
sites.

I'd like to see us come up with an easy-to-deploy solution for launching a 
leaks site with the security considerations addressed, perhaps in the form 
of a "soft appliance" distribution, but first we need a basic requirements 
document. What are the technical security requirements of such a service?

Off the top of my head, I think we can divide this into three parts:

1. General site security. The website/servers need to be resistant to 
compromise, and also need to be prepared for the same. The credibility of 
Wikileaks would be severely damaged if an attacker were able to, for 
example, introduce fake diplomatic cables to the cache of documents 
waiting to be released, so that the Wikileaks staff inadvertantly 
published false information. So in addition to protecting against 
breakins, the system needs to be designed to maintain data integrity in 
the face of compromise.

2. Source protection. The site needs to provide a means for whistleblowers 
to contact the site operators, discuss issues, and submit documents in an 
anonymous manner. Wikileaks solves this with Tor, though there might be 
other ways. We need a clearly defined threat model to build against, and 
must keep in mind that usability is a security concern -- we have to 
assume that the whistleblowers are not geeks, and the site operators may 
not be, either.

3. Censorship resistance. If 2. brings to mind Tor, 3. brings to mind the 
Eternity Service. In this model, the publisher does not need to be 
anonymous, but the data needs to be authenticated and the service 
distributed. The CouchDB-based mirrors of the Afghanistan War Diaries 
provide a promising first-attempt; to be successful, these sites need to 
be able to leverage jurisdictional arbitrage and distributed hosting to 
resist network denial of service attacks and legal attacks aimed at 
taking their sites offline, as well as data corruption attacks aimed at 
invalidating the material by attacking its credibility with the 
introduction of false documents, etc.

3.a. would be a way for third-parties to obtain the material provided by 
these services in an anonymous fashion; I see this as lower priority than 
the other issues, but still something to think about.

My goal here is to develop a formal, realistic model for the operation of 
a legitimate journalistic whistle-blower material clearinghouse. I'm 
basically proposing we replicate in public, with peer-review, the process 
I assume Wikileaks itself has undergone for the design of their system. 
Let's identify the likely attacks and attack vectors for given 
adversaries, compose a solution based on available technology, and 
assemble it in as easily deployable a manner as possible.

Who else is interested? Let's get this discussion rolling.


Best,

Len
_______________________________________________
p2p-hackers mailing list
p2p-hackers at lists.zooko.com
http://lists.zooko.com/mailman/listinfo/p2p-hackers

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list