

ASK HN: How to set up a network for getting secret info out of [country X]? - macca321

Supposing that this popped up in my inbox today: "I want to set up a network for getting confidential information and banned journalism out of [country X]. How?"<p>after a quick phone call, i might have some requirements, in order of trickiness<p>1. someone has some footage on their camera phone they want to get out of the country without being traced, as a one-off. This person isn't very familiar with the publisher, perhaps has only heard of it.<p>2. a network of correspondents in 2-way communication with the publisher<p>3. a network of correspondents with peer-to-peer communication<p>Say that in this country the ISPs are so compromised that requests to unusual URIs would be flagged, tracked and located. Ideally the any computers involved should have as little incriminating information on them as possible, and knowledge of the networks existence and methodology should not cause it to be compromised.<p>I have a couple of ideas, but I'm wondering what HN can come up with
======
bhousel
You can't send secure communications over a compromised network of ISPs. Well,
you can, but not without looking suspicious. I really think you may as well
forget about using the Internet for this.

A better solution is to just use external USB hard drives with Truecrypt and
ferry them around via a network or human couriers or through the mail.
Truecrypt lets you install a hidden volume on the hard drives so that if the
drives are ever captured you have some plausible deniability about what is
really on them.

~~~
macca321
How would you look suspicious? What if you stick to communication through
innocently used domains using new accounts in internet cafes?

~~~
bhousel
There are a lot of trust issues in sending data that way.

1\. First you have to trust the machine in the internet cafe. It might have
viruses or keyloggers. You can maybe get around this by using your own laptop,
but not allowed in most places.

2\. Next you have to trust the network. It could be monitored or logged. You
could be vulnerable to MITM attacks or DNS poisoning. SSL is not guaranteed to
get you any real protection in this situation.

3\. So you have a compromised network - you can get around this by just PGP
encrypting whatever you want to send to the receiver (assuming you and your
receiver have done some kind of sane, out-of-band key exchange), or using
steganography tools to hide your video inside some other file, but..

4\. Now you are uploading large encrypted files to 'innocently used domains'
(whatever that means) from an internet cafe. And walking around with a laptop
with either keypairs or steganography software on it.. That's suspicious.

It's just far easier to use an external drive with TrueCrypt on it to send
your sensitive information. You can have a hidden volume containing your
really sensitive data, and a main volume where you can store some files that
are plausibly sensitive enough to warrant TrueCrypt protection, e.g. a porn
stash or some confidential business data.

------
imechura
Communicate through drafts saved in a shared webmail account that supports
https?

------
namank
The problem is publishing any such strategy on a public forum like HN will
essentially render it useless.

------
lukev
Encrypted messages hidden using steganography in media published to public,
benign websites.

