On 3/11/15 1:10 PM, stef wrote: >> GlobaLeaks it's designed to be a Whistleblowing framework that can be >> used in very different context, from WildLife Crime Activism up to >> Anticorruption in Serbia up to PubLeaks-like Journalism in Netherland, >> keeping the maximum level of security achievable for a specific context >> of use. > serbia sounds like a state level actor, and i heard that the publeaks people > also get attention from the local services. The reality is that each scenarios have it's own peculiarities, really, it would be a very long and complex discussion that require few hours to analyze each scenarios details.
PubLeaks in the Netherland has been deployed with Tails as "Leaktops" for the journalists for end-point security, with GlobaLeaks being hosted by a well-known third party within the activists community (GreenHost), with servers deployed in a geo-political smart way, with service contract done with the "PubLeaks Foundation" (a legal entity created on purpose) to be resilient against certain kind of "legal threats". OCCRPLeaks do require instead, in Bosnia and balkan-area, to leverage "plausible deniability" by embedding GlobaLeaks within existing HTTPS site (https://occrp.org) because plausible deniability has been considered, after threat-modelling with the stakeholders, more relevant than just saying "Hey, use Tor to access this .onion site" . In Africa for AfriLeaks we're considering that, in certain country, it's better to avoid using any Tails or Tor stuff, but better implement deception strategies. When you work supporting the many initiatives you'll just realize that many time, the cryptographic/technical implementation side of a Whistleblowing initiative's security, is a minor part and shall be considered in a broader "Security" threat model. Given that the picture is complex and variegate enough, we are providing such a differentiated set of security levels, from a technical and procedural point of view. Consider that in most situation, when you consider significant threats, only opsec procedures and stakeholder organization can provide some degree of protection (or at least detection), with technology playing a little role. The way you work in a place where "The rule of law" is effective, it's very different from working in a place where having an encrypted usb stick with you can lead to Tortures. Hope to have provided a broader view on how complex and complicated can be our threat model, so that we must choose individual security choices that enable use to provide a graduated/configurable level of security (that could go up, being very strong, or go down, being more flexible). Btw, that's not the goal of this thread, but i loved to articulate an answer! :) -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
