On 23/12/10 5:44 AM, Len Sassaman wrote: > 2. Source protection. The site needs to provide a means for whistleblowers > to contact the site operators, discuss issues, and submit documents in an > anonymous manner. Wikileaks solves this with Tor, though there might be > other ways. We need a clearly defined threat model to build against, and > must keep in mind that usability is a security concern -- we have to > assume that the whistleblowers are not geeks, and the site operators may > not be, either.
If I think of the 3 whistleblower cases I'm mildly familiar with, there is no commonality between the source protection aspects. I think this might be something where whatever technical system you put in place, a wise whistleblower would not be keen to trust it. Given that the typical cost of being a whistleblower is probably minimum loss of income for years, and loss of liberty likely, it might be a really high target. If that view holds, it might be better kicked out of any technical design for a publishing system. > 3. Censorship resistance. If 2. brings to mind Tor, 3. brings to mind the > Eternity Service. In this model, the publisher does not need to be > anonymous, but the data needs to be authenticated and the service > distributed. The CouchDB-based mirrors of the Afghanistan War Diaries > provide a promising first-attempt; to be successful, these sites need to > be able to leverage jurisdictional arbitrage and distributed hosting to > resist network denial of service attacks and legal attacks aimed at > taking their sites offline, as well as data corruption attacks aimed at > invalidating the material by attacking its credibility with the > introduction of false documents, etc. > > 3.a. would be a way for third-parties to obtain the material provided by > these services in an anonymous fashion; I see this as lower priority than > the other issues, but still something to think about. OTOH, If you wanted to make source protection strong *and* technical (e.g., uploading), then you might want to make it the same system for both uploading and downloading. Hiding the source in a crowd of downloaders is one benefit, and making the download protection high profile may help to make the overall source/sink protection better. 4. Gatekeeper role. It would seem that any pure technical system could be flooded by junk. Typically a team is needed to analyse, filter, edit and approve. > My goal here is to develop a formal, realistic model for the operation of > a legitimate journalistic whistle-blower material clearinghouse. I'm > basically proposing we replicate in public, with peer-review, the process > I assume Wikileaks itself has undergone for the design of their system. > Let's identify the likely attacks and attack vectors for given > adversaries, compose a solution based on available technology, and > assemble it in as easily deployable a manner as possible. > > Who else is interested? Let's get this discussion rolling. Some thoughts! iang _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
