My number 1 addresses for whistleblowing would be the NYTimes simultanesously with a German news outlet like Zeit, Spiegel, or Sueddeutsche Zeitung. My number 2 address would be Wikileaks.
These have actual, proven expertise in publishing leaks.
All those new "leak sites" have a trust problem. Although it's likely that most of them have noble intentions, it's equally likely that some of them have been funded by or have been undermined by intelligence services. I wouldn't even trust any open source software that is specifically developed for leaking sensitive information - it's simply too easy to slip an obfuscated security hole in it, and it's not as if the developers could afford regular professional audits.
I suspect some people will downvote me for this, but in highly sensitive matters I'd rather stick to those with a proven track record and evidence of having been persecuted by governments in the past.
To the people who think this is paranoid: It's not. Getting informants or people working on their behalf in crypto projects is the bread & butter of what intelligence agencies do, and it's much easier for them than their usual targets such as foreign military and agencies of state adversaries.
GlobaLeaks has had at least one professional audit of the software. I haven’t been following in recent years and they should definitely make it easier to find their current status on that score. (I just poked around on mobile and didn’t see it.)
I don't get why we are making websites that are supposed to be whistle-blowing platforms. It's already been established that numerous corruptible parties can break https (e.g. by hacking a cert).
Depending on the nature of the leak, perhaps it'd be best to get it into a safe public store that won't be disappeared (e.g. the blockchain) in an encrypted fashion, and then release the key to select parties.
* Onion sites also derive cryptographic security from the onion name itself. (I'm working on getting them to be allowed to have DV certs, but even without certs, the onion rendezvous protocol confirms that you've reached a party that controls a key specified in the name itself.)
(Someone else mentioned HPKP, which I've also touted in the past as improving HTTPS security, but it seems HPKP enforcement is going away, so we can't necessarily tout it for this purpose anymore...)
> Onion sites also derive cryptographic security from the onion name itself. (I'm working on getting them to be allowed to have DV certs,
Is it possible to derive a fully secure HTTPS-or-equivalent connection purely from the site's curve25519 key? It seems like that would make DV (and CAs in general) completely redundant. (And if not, is there a explanation of why not?)
See the section "Why do people want certificates for onion names?".
It's correct that both v2 and v3 onions provide end-to-end encryption based on the onion service key. In v3 onions that encryption uses more modern cryptographic primitives than in v2 onions, so the incremental cryptographic benefit would be much larger in v2, where unfortunately for historical reasons the CA industry is reluctant to allow DV certs.
that’s exactly what assange did with his insurance file, and the guardian editor he was in contact with published the password for the archive of unredacted diplomatic cables in a book
I can imagine a file-hosting blockchain platform that pays out people who host, and charges people who request files. The tokens to participate in the service then get sold on the usual exchanges.
Possibly, depends on how generic a drone you can get though, it might be possible to trace through the drone purchase and/or serial number. If you don't care about time and are willing to spend a bit of money, you could potentially attach an automatic wifi connecting and uploading raspberry pi or similar to the underside of a random car and just let it drive around. In most cities it'll eventually park near an open wifi. You might want to deploy two or three I guess.
Don't do this; it has all the same problems of just giving the data to select parties directly.
Instead use http://www.gwern.net/Self-decrypting-files and post that to the blockchain. This ensures that anyone can access the data without depending on a trusted third party, but the data will already be irrevocably committed by the time anyone realizes that they want to censor it. Then publish the decryption key for convenience; if that get censored, it's merely mildly annoying.
Note that HPKP enforcement is being dropped as a mainstream browser feature, so we may not be able to rely on this particular argument much in the future. (Although an attacker might not know for sure whether some target might not still be enforcing a pin, presumably not many sites will keep announcing pins at some point.)
That would be interesting. It sounds like the deprecation became effective and Chrome stopped enforcing it just two weeks ago.
I don't know whether Chrome provides appropriate extension APIs to allow an extension to do this, but I have a number of colleagues who work on browser extension development whom I could ask.
I don't really understand the point of this project or similar efforts like securedrop, while understanding their motivation just fine. moving information from point A to point B is a very, very small part of the whistleblowing process, and it's already solved by other projects that are not specific to whistleblowing. trusting the recipient of sensitive information to use it well is a much more difficult problem, and it can't be solved by software. if reality winner had used the intercept's securedrop instance to transmit her information, it clearly wouldn't have prevented them from mishandling it.
> trusting the recipient of sensitive information to use it well is a much more difficult
Just curious, why is that even in the process? If you want to spread information, would you not distribute it to as many people as possible? Why do you have to trust the recipient?
ethics and time constraints. whistleblowing and radical transparency aren't the same thing; every whistleblower has a different reason for doing so and spreading all available information is just one possible desired outcome.
one of the reasons snowden sent his information to journalists was to remove his own biases from the process -- he wanted journalists to help go through it all, determine what was in the public interest, what could be unnecessarily damaging, etc. he wouldn't have had time to do that himself before being caught.
this is in stark contrast to documents found on wikileaks for example that contain social security numbers and other sensitive information completely unrelated to the thing the whistle is being blown on.
> one of the reasons snowden sent his information to journalists was to remove his own biases to be part of the process -- he wanted journalists to help go through it all, determine what was in the public interest, what could be unnecessarily damaging, etc.
Now, you introduced biases from the journalists, which is arguably not better. Journalists could be influenced or controled by states or other parties, and then surely control a part of public opinion. (See the scandal with the Tesla employee who sent data to a reporter from Business Insider, and that reporter is then accused of being systematically biased against Tesla)
> this is in stark contrast to documents found on wikileaks for example that contain social security numbers and other sensitive information completely unrelated to the thing the whistle is being blown on.
> Now, you introduced biases from the journalists, which is arguably not better. Journalists could be influenced or controled by states or other parties, and then surely control a part of public opinion.
sure, but he significantly reduced that risk by going to a number of journalists working for different organizations in different countries, creating a disincentive for any single publisher to become known as the one that publishes misinformation.
I agree there's a stronger argument against radical transparency than there is in favor of intermediaries, but whistleblowing is realistically never going to be a scenario in which the circumstance or timing is perfect... going to journalists is a good solution, not a magic one.
I'm not sure what projects you're thinking of; just moving the info is easy, making it fairly foolproof for a non-techie source to avoid leaving a datatrail while sending infomation+having a dialogue with you is hard.
well, don't use either if you're a whistleblower up against an advanced adversary, unless you really have to - that will put you into a very small population for analysis.
attacks on tor are, increasingly, attacks on tor browser[1], so I'm not sure I understand your logic there. ricochet has nothing to do with the web, it is not a browser, it just uses a tor process for routing -- tor browser presents a gigantic attack surface that the tor process itself does not.
FWIW, there was an issue or PR on github at some point after the ricochet audit about removing the "experimental" warning, I could be misremembering a different conversation but I think the author just wasn't comfortable telling people that using software for this sort of thing isn't inherently high-risk.
Get more people to use both so they become less unusual seems like a better plan :-)
If you're only connecting to a newspaper's secure drop instance on a .onion the risk of running into malicious code seems low but I do agree that leakers need more than just Tor browser, so let's add whonix to that.
Richochet does sound good and I'll try it at some point.
That's the first step in trying out the projects public demo, where they host an instance on their servers and give you a subdomain. Setting up your own server does not give them your personal information.
I haven't seen a feature comparison recently (I remember a panel discussion about this some years ago, but don't recall much substance), but I just wanted to point out that GlobaLeaks is a similar age to SecureDrop and may well be pretty mature. My impression is that SecureDrop is developed mainly by Americans and GlobaLeaks mainly by Europeans, and each might also have been deployed primarily on the continent where it was developed. If my impression is right, there might be an ongoing reason that particular groups of people are more familiar with one than the other.
But a few years ago, GlobaLeaks was a lot simpler to install and administer than SecureDrop. Which ment smaller organisations could afford to have an instance.
The single biggest "success" of the whole leaks thing has been to help put Trump in office, which shows three things.
First, it's ridiculously easy for powerful and dubious players (example here Russian intelligence, not Trump) to twist this well-meaning idea into a horrible parody of itself.
Second, the most vulnerable to manipulation from this technique are democracies (and to a much lesser extent) public corporations, who I would argue, are less of a problem than either autocracies or super-rich individuals. You can't embarrass Putin out of office no matter what gets leaked. Anyone who tries to use it against him will fall out of a window and it will be forgotten. Nor can you easily make the Koch brothers behave, even if an award winning journalist writes a best-selling and award winning book about their shenanigans https://www.amazon.com/Dark-Money-History-Billionaires-Radic...). You'd pretty much have to leak photos of them holding severed heads to get the US government to move against them effectively.
Third. Often, it's politically dangerous for a leader to do the 'right thing'. This technique is just as useful to prevent someone from doing the right thing as it is to prevent them from doing the wrong thing. The difference is how controversial the action is, not whether it is right or wrong.
So, regardless of whether this can be done securely, it's really important to ask yourself how it is likely to be used, by whom, and to what end. People tend to forget that stuff when they have a cool new technology.
Aren't the biggest recent successes of whistleblowing websites the publication of the the Pentagon papers, HBGary Federal leaks, embassy cables, collateral damage material/videos and US global surveillance program? To my knowledge, whistleblowing had very little to nothing to do with the recent election.
Information manipulation is one of the core functions of the CIA, Russian Intelligence, etc. Whistleblowing agencies do not seek to solve CIA information manipulation - only provide an outlet for the publication of contradictory material. In other words: these systems publish information - they are not golden bullets. They do not protect you entirely from the CIA. They aren't intended to. Don't let perfect the enemy of good.
Regarding the third point: it's often very easy for a leader to do the easy thing instead of the right thing.
Agree wholeheartedly that a person needs to be careful about how information is used, by whom, and to what end. I think that more than equally applies to Western intelligence and national security agencies.
Maybe somebody can show me why I'm wrong in stating that democracies are asymmetrically more vulnerable, or that this can be used as readily by bad actors for bad ends as it can by well-intentioned people for good ends.
I suggest to remove the first sentence that is just a distraction from the later points that you make, especially without some further elaboration.
If we can create some technology, then dismissing it because it can be used to do bad things seems futile. Bad actors will create and use it anyway[1]. If you want to protect some secrets then have a decent security protocols in place, network of trusted people, slightly different data encrypted with different public keys and so on.
I don't think government intelligence needs projects like this to do what they want to do.
I doubt you are trying to argue not to have knifes because they kill people. You work at Google so I think your context may come from the fact that you can easily put things that make a lot of sense after considering them carefully in a bad light when presenting them to public without enough context. But you can do that based on any information, not necessarily private.
In general, in politics, data doesn't seem to matter all that much, unfortunately. We don't have democracy. We have some media-cracy. Majority of voters opinions are heavily influenced by the media. So it's them who actually make decisions (or whoever controls them).
That's why Snowden for example, probably had much more influence on people who already thought about those things, than it had on general public.
1. bioweapons come to mind and those are indeed scary as our current defense is pretty much what I'm considering to be futile
I didn't down-vote but pretty good counter arguements is there really is no evidence that Russia was actually behind the leaks other than the CIA and the department of homeland security said so. Seeing as these are the same organizations that lied to us time and time again, like lying about the cause of Benghazi, I'm not inclined to believe anything they say without evidence. These people are known liars and pretty much everything they say is a politically motivated manipulation.
Sure Russia could be behind the DNC leak, but so could a 14 year old who guessed that podesta's password was password (if you believe Julian Assange's claims which haven't been denied by the DNC). It could also be a disgruntled Democratic party staffer who saw what Hillary and Podesta were like behind the scenes and said "fuck these people, the public needs to know what they're really like"
Second, why is it a bad thing that Hillary's email was leaked? It gave an insight into how corrupt the Democratic party is and how corrupt our politicians are and how the democratic process is being rigged. This is a lady who ran a private email server as secretary of state. I'm happy that we were able to find out how the Democratic party rigged the campaign against Sanders and worked a little too closely with the media to ensure a Hillary victory. I'm also glad we found out the real reason for the attacks on Libya (gold reserves not protection of people).
Sure it had a bad result for Trump opponents who didn't want Trump to win. But imagine it was not Trump but Obama running against Hillary and the emails had been leaked. I'm sure you and everyone else would be saying that it was a great moment for democracy instead of regarding it as a terrible mockery.
You can change all the names, but all of the criticisms remain valid. It's super-easy to game an anonymous "leak" distribution platform, in particular if you're an intelligence agency. That alone should give people pause, but it doesn't.
This is an iterative process. Yes, GlobaLeaks could be used to spread fake leaks, but then it will force all democratic processes to be more transparent, in order to efficiently prove or disprove leak L or new N.
How fast we can prove a piece of fact is the next step, but to get there, you have to give people the tools to spread information (true and fake) as much as possible, imho
Edit : Also, this initiative is European. If you don't trust your own intelligence services, stop whining about it and come live in Europe?
An intelligence agency can already leak stuff to the press while remaining largely anonymous, this doesn't improve their situation nearly as much as an actual whistleblower.
Someone else gave the Pentagon papers as an example of a "good leak" and it was. But I think good leaks tend to be those, like the pentagon papers that are handled by responsible organizations (NY Times and Wash. Post in that case). The people who created this code may be just such people, but there's no reason to think someone who does git-clone on this repo is.
By the way, both the Post and the Times openly solicit leaks.
You're missing the point. If you assume some intelligence agency was behind the Clinton email leak, they could have anonymously leaked them to a range of press outlets and generated the same result. Meanwhile, Ellsberg had to work incredibly hard to prevent being caught before the Pentagon Papers went public. A site like this makes Ellsberg's life easier, while making no difference to the intelligence agency.
The method of leaking has little to do with the value of the leak, someone will print almost anything. The Times and the Post regularly print items intentionally leaked for propaganda purposes, the classic example is the buildup to the Iraq War.
It's only irrelevant if you think it's reasonable discuss/promote technologies while only considering their technical merits and the "pros" for their use. I don't think that anyone can legitimately make that argument.
These have actual, proven expertise in publishing leaks.
All those new "leak sites" have a trust problem. Although it's likely that most of them have noble intentions, it's equally likely that some of them have been funded by or have been undermined by intelligence services. I wouldn't even trust any open source software that is specifically developed for leaking sensitive information - it's simply too easy to slip an obfuscated security hole in it, and it's not as if the developers could afford regular professional audits.
I suspect some people will downvote me for this, but in highly sensitive matters I'd rather stick to those with a proven track record and evidence of having been persecuted by governments in the past.
To the people who think this is paranoid: It's not. Getting informants or people working on their behalf in crypto projects is the bread & butter of what intelligence agencies do, and it's much easier for them than their usual targets such as foreign military and agencies of state adversaries.