[p2p-hackers] Whistle-blower site platform design

Ian G iang at iang.org
Thu Dec 23 01:15:39 PST 2010 

On 23/12/10 5:44 AM, Len Sassaman wrote:

> 2. Source protection. The site needs to provide a means for whistleblowers
> to contact the site operators, discuss issues, and submit documents in an
> anonymous manner. Wikileaks solves this with Tor, though there might be
> other ways. We need a clearly defined threat model to build against, and
> must keep in mind that usability is a security concern -- we have to
> assume that the whistleblowers are not geeks, and the site operators may
> not be, either.


If I think of the 3 whistleblower cases I'm mildly familiar with, there 
is no commonality between the source protection aspects.  I think this 
might be something where whatever technical system you put in place, a 
wise whistleblower would not be keen to trust it.  Given that the 
typical cost of being a whistleblower is probably minimum loss of income 
for years, and loss of liberty likely, it might be a really high target.

If that view holds, it might be better kicked out of any technical 
design for a publishing system.

> 3. Censorship resistance. If 2. brings to mind Tor, 3. brings to mind the
> Eternity Service. In this model, the publisher does not need to be
> anonymous, but the data needs to be authenticated and the service
> distributed. The CouchDB-based mirrors of the Afghanistan War Diaries
> provide a promising first-attempt; to be successful, these sites need to
> be able to leverage jurisdictional arbitrage and distributed hosting to
> resist network denial of service attacks and legal attacks aimed at
> taking their sites offline, as well as data corruption attacks aimed at
> invalidating the material by attacking its credibility with the
> introduction of false documents, etc.
>
> 3.a. would be a way for third-parties to obtain the material provided by
> these services in an anonymous fashion; I see this as lower priority than
> the other issues, but still something to think about.

OTOH, If you wanted to make source protection strong *and* technical 
(e.g., uploading), then you might want to make it the same system for 
both uploading and downloading.  Hiding the source in a crowd of 
downloaders is one benefit, and making the download protection high 
profile may help to make the overall source/sink protection better.


4.  Gatekeeper role.  It would seem that any pure technical system could 
be flooded by junk.  Typically a team is needed to analyse, filter, edit 
and approve.


> My goal here is to develop a formal, realistic model for the operation of
> a legitimate journalistic whistle-blower material clearinghouse. I'm
> basically proposing we replicate in public, with peer-review, the process
> I assume Wikileaks itself has undergone for the design of their system.
> Let's identify the likely attacks and attack vectors for given
> adversaries, compose a solution based on available technology, and
> assemble it in as easily deployable a manner as possible.
>
> Who else is interested? Let's get this discussion rolling.

Some thoughts!

iang
_______________________________________________
p2p-hackers mailing list
p2p-hackers at lists.zooko.com
http://lists.zooko.com/mailman/listinfo/p2p-hackers

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list