[liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders

[Fabio Pietrosanti (naif)]

Il 5/15/14, 11:47 PM, Tom Ritter ha scritto:
> On 14 May 2014 23:36, Fabio Pietrosanti (naif) <lists at infosecurity.ch> wrote:
>> i think that would be very important to organize a project to Audit the
>> functionalities of Auto-Update of software commonly used by human rights
>> defenders.
> Sounds interesting. What software did you have in mind?
I think that what should be done is:
- Identify the 10-15 mostly used software by Human Rights Defenders for
each countries where Human Rights are most in danger (to be done trough
a network of on-field partners with survey)
- Audit each of them for the Self-Update, Download methods, Download
instructions, Version checking, etc, against a defined methodology of
requirements (to be defined)
- Advise the software manufacturer on how to improve it
- Within 6 months, publish the detailed results, including a set of
additional "recommendation" to make all of those set of software

I think that's plenty of software that are used by activists and
journalists on field in difficult places that have a lot of
insecurities, being graphical software, data collection software, web
editing software, etc, etc

While our "hackish" communities mostly focus on the "security
softwares", on-fields the people use just general purposes sofware for
doing general purpose works, but that's where the "adversary" able to
MitM a connection, can leverage stupid bugs to inject directly or
indirectly monitoring malware.


-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org