[liberationtech] AdLeaks - a whistleblowing platform

Mon Jun 24 02:04:29 PDT 2013

Il 6/23/13 2:53 PM, Jens Christian Hillerup ha scritto:
> Quickly noting that I'm not affiliated with AdLeaks, just passing on 
> the information.
>
> On Sun, Jun 23, 2013 at 1:56 PM, Andrea St <andst7 at gmail.com 
> <mailto:andst7 at gmail.com>> wrote:
>
>     it sounds different from globaleaks project. Am i right? 
>
>
> Yes. GlobaLeaks seeks to establish an open-source version of the 
> submission system of Wikileaks such that any and everyone can make 
> their own leaks site. The core development team of GlobaLeaks is also 
> on this list, so I'll let them describe it further.

GlobaLeaks mission is to be a framework with support for different 
digital whistleblowing workflow and security threat model.

The AdLeaks concept is very cool (http://arxiv.org/abs/1301.6263), even 
if it appear to me very difficult to be deployed and used in a real 
world scenario:
See 6.1 (submission duration), it would keep the whistleblower 21 days 
to upload a single 2MB file.

Passive traffic analysis with correlation of timing/size/destination is 
*extremely difficult and unlikely* to be easy to be protected without 
"awareness and actions of the whistleblower" (like using an open wifi, 
an internet caffè, using Tor from another persons communication line, etc) .

For a whistleblowing project we're working on, we are going to develop a 
Widget to support covert-traffic generation:
https://github.com/globaleaks/GlobaLeaks/issues/263

This will work with inclusion into the websites of all the partners's 
website of this whistleblowing inititives.

This "does not guarantee protection to the whistleblower" doing submission.

Our widget for covert-traffic is specifically designed only to provide 
some "additional aid" in some specific case we've discussed (and that 
should be better documented in TM).

It help  for Whistleblowers that access a submission site from their 
corporate/governmental networks, trough proxy servers that save detailed 
access logs. In context where Whistleblowers are prevented from doing a 
submission (because hind a proxy) but can access it.

In such context the WB will leave trace that maybe interpreted like "he 
intended to do a submission, but then he haven't done" .

If in the Enterprise/Government organization's proxy logs, there are 
traces of thousands of users connecting to the submission interface (due 
to the Widget being embedded in third party popular websites), there 
will not be a single, incriminating "log entry" generated by the 
unaware/unconscious whistleblower, but thousands of them making slightly 
more difficult the analysis.

Supporting covert-traffic generation it's something that "help", but 
doesn't fix the real problem that i think *require* Whistleblower awareness.

Anyhow i'm excited to meet at OHM2013 the AdLeaks team and do a 
brainstorming on it! :)

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130624/e8fa6860/attachment.html>