SlideShare a Scribd company logo

Wikileaks: secure dropbox or leaking dropbox?

H
hackdemocracy

Presentation by Jean-Jacques Quisquater (@_jjq)

1 of 56
Download to read offline
Wikileaks: secure dropbox or leaking dropbox ?? Jean-Jacques Quisquater UCL Crypto Group Louvain-la-Neuve jjq@uclouvain.be January 19 2011 twitter : @_jjq
Who I am? Jean-Jacques Quisquater • Engineer in applied mathematics (UCL, Belgium, 1970) • PhD in Computer Science (Orsay, France, 1987) • Scientist full time (1970-2010) • 20 years for Philips, 20 years academics • Professor of cryptography at UCLouvain-la-Neuve, ENS (Paris) • Working about cryptography, security, privacy from 1979 (200 papers, 40 PhD thesis, …) • Doing and applying research in cryptography for protecting easily people, privacy and democracy: – smart card, – electronic Id, – electronic passport, – electronic voting, … • Emeritus UCL (2010-…) and visiting scientist at MIT (2004-…)
Mission for today • Explaining in 5 minutes (!) how organizations like Wikileaks can use technology to insure leakers remain anonymous.
Mission for today • Explaining in 5 minutes (!) the way in which organizations like Wikileaks can use technology to insure leakers remain anonymous. • Solution: perfect electronic dropbox
Basic scheme on the web Hot dropbox info Hot leaker
Anonymous dropbox on the web • Internet voting • Auction • Disclosures (Enron, Worldcom, …) • Whistleblowers (« lanceur d’alerte ») • Audit • Suggestion box • Survey, poll • See also tor • …
Wikileaks (14/01/2007) • Wikileaks will also incorporate advanced cryptographic technologies for anonymity and untraceability. Those who provide leaked information may face severe risks, whether of political repercussions, legal sanctions or physical violence. Accordingly, extremely sophisticated mathematical and cryptographic techniques will be used to secure privacy, anonymity and untraceability. • For the technically minded, Wikileaks integrates technologies including modified versions of FreeNet, Tor, PGP and software of our own design.
Wikileaks (14/01/2011)
Wikileaks (14/01/2011)
Trac(k)ing files • Adding hidden and difficult to remove specific information related to access (time, user, location, …): the EBU model • Adding specific visible information (diffficult to remove, errors, rounded numbers, …) • Watermarking for – Paper, – Map, – Object, – Printer, fax, computer (fonts, yellow dots, …), – Photo, – Text (font, distance between letters, words), – Program, – …
Personally identifiable information about users privacy Basic Tools: - Encryption - Anonymizer Services: - ixquick=startpage, … IXQUICK
anonymity • refers to the state of an individual's personal identity being publicly unknown.
anonymity
Trace: any information untraceability about the user • internet • PC or internet cafe • files •…
Internet traces (tcp-ip v4, v6) • SENDER: – From: IP address – To: IP address – Sent time – IP geolocalisation – Length of message – Data RECEIVER: – Received time • Think about the layers (applications, transport, internet, link)
Attacks and threat model(s) • Traffic analysis (encrypted data!) • DoS (denial of service) against main routers for forcing rerouting • Ad-hoc virus, worm, injected javascript (for capturing keys, passwords, censoring (Tunisia), sabotage: stuxnet, …) • Aggregation or linking (same anonymous user?) • Password correlation
Who needs protection? http://www.torproject.org/about/torusers.html.en • Normal people for protecting – privacy from unscrupulous marketers and identity thieves – communications from irresponsible corporations – children online; research sensitive topics • Militaries (internet designed by DARPA, tor by NRL, DES by IBM-NSA, …) – Field agents; Hidden services; Intelligence gathering • Journalists and their audience – Reporters without Borders – US International Broadcasting Bureau (Voice of America/Radio Free Europe) – Citizen journalists in China; Citizens and journalists in Internet black holes • Law enforcement officers – Online surveillance; Sting operations; Truly anonymous tip lines • Activists and Whistleblowers – Amnesty international … • Business executives, Bloggers, IT Professionals – http://www.eff.org/issues/bloggers/legal
cryptography • Encryption for confidentiality of data • Signature for integrity of data • Key generation, distribution, storage, authentication • Problem: bad implementations and/or use (including SSL or https!) • Most implementations are leaking taking into account the protocols (effective security: x bits?)
proxy • Change your IP address into another one • Uses: – Remote use of ressources – anonymity of your IP address • An anonymous proxy server hides the IP address and removes traffic such as: – Cookies – Pop-ups – Banners – Scripts – Referrer information
Mixnet (Chaum, 1981) • Mixes enable anonymous communication by means of cryptography, scrambling the messages, and unifying them (padding to constant size, fixing a constant sending rate by sending dummy messages, etc) • Examples: mixmaster, tor • Chaum, “Untraceable Electronic Mail, Return Addresses, and Digital Pseudonym,” Communications of the ACM, 24:2, Feb. 1981
Mixnet
Onion routing • http://www.onion-router.net/ • Reed, Syverson, Goldschlag, “Anonymous Connections and Onion Routing,” Proc. of IEEE Symposium on Security and Privacy, Oakland, CA, May ’97, pp. 44-54 • patented by the United States Navy in US Patent No. 6266704 (1998) (current version of tor is not using it)
Freenet (Clarke, 1999; Clarke, Sandberg, Wiley, Hong, 2000) • http://freenetproject.org/ (running) • Freenet is free software which lets you anonymously share files, browse and publish "freesites" (web sites accessible only through Freenet) and chat on forums, without fear of censorship. Freenet is decentralised to make it less vulnerable to attack, and if used in "darknet" mode, where users only connect to their friends, is very difficult to detect.
Tor • Tor is a system intended to enable online anonymity, composed of client software and a network of servers which can mask information about users' locations and other factors which might identify them. • Use of this system makes it more difficult to trace internet traffic to the user, including visits to Web sites, online posts, instant messages, and other communication forms. • It is intended to protect users' personal freedom, privacy, and ability to conduct confidential business, by keeping their internet activities from being monitored.
Tor (Dingledine, Mathewson, Sylverson, 2004) • http://www.torproject.org/ • http://torstatus.blutmagie.de/
Technical attacks against tor
Tor alternatives • http://alternativeto.net/software/tor/ • http://www.shoutmeloud.com/ultrasurf- your-freedom-opera-tor-freegate- alternative.html • http://www.digitalalchemy.tv/2006/11/psi phon-offers-alternative-to-tor-for.html • http://web.informer.com/tor+alternative • Psiphon: http://psiphon.ca/
PGP (Phil Zimmermann, 1991) • Pretty Good Privacy (also GPG) • computer program that provides cryptographic privacy and authentication for data communication • Symantec and openPGP
darknet • // black box (a system or device whose contents were unknown) • Isolated network for security purpose (1970) • any closed, private group of people communicating • a collection of networks and technologies used to share digital content • Examples of darknets: peer-to-peer file sharing, CD and DVD copying, key or password sharing on email and newsgroups
Main conferences • Design – All security conferences and workshops • Attacks – CCC – Black Hat – Defcon – Usenix security
Internet ennemies (red)
Encryption user computer E, k Encrypted data D, k data data
Steganography user computer E, k Mixed data D, k Secret data Secret data Clear data
steganography • Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message.
Steganography: example
Steganography: example Removing all but the two least significant bits of each color component produces an almost completely black image. Making that image 85 times brighter produces …
Steganography: example Removing all but the two least significant bits of each color component produces an almost completely black image. Making that image 85 times brighter produces …
Haystack (SFO) • Haystack was a partially completed proprietary network traffic obfuscator and encryptor that was being designed to circumvent internet censorship in Iran.
Haystack
Haystack
Ethical problems • Use by opponents (which ones?) • Use by terrorists • Use by « pirates » (p2p networks) • ACTA? (Tor not legal in some countries?) • What to do?
pdf file (versus word) • Pdf is not an easy solution for the receiver… • Very dangerous due to the possibility of hidden and malicious executables
Hidden services (tor)
Wikileaks: secure dropbox or leaking dropbox?
Wikileaks: secure dropbox or leaking dropbox?
Wikileaks: secure dropbox or leaking dropbox?
Wikileaks: secure dropbox or leaking dropbox?
Wikileaks: secure dropbox or leaking dropbox?

Recommended

Crypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardCrypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardPositive Hack Days
 
(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementation(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementationINSIGHT FORENSIC
 
Runa Sandvik, The Tor Project, London: Online Anonymity: Before and After th...
Runa Sandvik, The Tor Project, London: Online Anonymity: Before and After th... Runa Sandvik, The Tor Project, London: Online Anonymity: Before and After th...
Runa Sandvik, The Tor Project, London: Online Anonymity: Before and After th...i_scienceEU
 
Demystifying Secure Channel
Demystifying Secure ChannelDemystifying Secure Channel
Demystifying Secure ChannelViral Parmar
 
Dark net
Dark netDark net
Dark netMudasser Afzal
 
Encryption
EncryptionEncryption
EncryptionDanielNanaAnyemeduHe
 
Powerpoint
PowerpointPowerpoint
PowerpointMarcelomazzocato
 
Darknet - Is this the future of Internet?
Darknet - Is this the future of Internet? Darknet - Is this the future of Internet?
Darknet - Is this the future of Internet? Bangladesh Network Operators Group
 

Recommended

Crypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardCrypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardPositive Hack Days
 
(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementation(130727) #fitalk anonymous network concepts and implementation
(130727) #fitalk anonymous network concepts and implementationINSIGHT FORENSIC
 
Runa Sandvik, The Tor Project, London: Online Anonymity: Before and After th...
Runa Sandvik, The Tor Project, London: Online Anonymity: Before and After th... Runa Sandvik, The Tor Project, London: Online Anonymity: Before and After th...
Runa Sandvik, The Tor Project, London: Online Anonymity: Before and After th...i_scienceEU
 
Demystifying Secure Channel
Demystifying Secure ChannelDemystifying Secure Channel
Demystifying Secure ChannelViral Parmar
 
Dark net
Dark netDark net
Dark netMudasser Afzal
 
Encryption
EncryptionEncryption
EncryptionDanielNanaAnyemeduHe
 
Powerpoint
PowerpointPowerpoint
PowerpointMarcelomazzocato
 
Darknet - Is this the future of Internet?
Darknet - Is this the future of Internet? Darknet - Is this the future of Internet?
Darknet - Is this the future of Internet? Bangladesh Network Operators Group
 
Introduction to HackDemocracy Brussels Meetup 3
Introduction to HackDemocracy Brussels Meetup 3Introduction to HackDemocracy Brussels Meetup 3
Introduction to HackDemocracy Brussels Meetup 3hackdemocracy
 
HackDemocracy 4: Open Data in Belgium Introduction
HackDemocracy 4: Open Data in Belgium IntroductionHackDemocracy 4: Open Data in Belgium Introduction
HackDemocracy 4: Open Data in Belgium Introductionhackdemocracy
 
Pirate Party, Wikileaks & the Anonymous
Pirate Party, Wikileaks & the AnonymousPirate Party, Wikileaks & the Anonymous
Pirate Party, Wikileaks & the Anonymoushackdemocracy
 
Online and Offline Activism with the Indignados/Occupy movement
Online and Offline Activism with the Indignados/Occupy movementOnline and Offline Activism with the Indignados/Occupy movement
Online and Offline Activism with the Indignados/Occupy movementhackdemocracy
 
Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)
Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)
Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)hackdemocracy
 
HackDemocracy Brussels 3: Using technology to improve School Choice Procedures
HackDemocracy Brussels 3: Using technology to improve School Choice ProceduresHackDemocracy Brussels 3: Using technology to improve School Choice Procedures
HackDemocracy Brussels 3: Using technology to improve School Choice Procedureshackdemocracy
 
Citizen Media Meetup
Citizen Media MeetupCitizen Media Meetup
Citizen Media Meetuphackdemocracy
 
FairObserver by Fabian Neuen
FairObserver by Fabian NeuenFairObserver by Fabian Neuen
FairObserver by Fabian Neuenhackdemocracy
 
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...hackdemocracy
 
NewEurAsia by Christopher Schwartz
NewEurAsia by Christopher SchwartzNewEurAsia by Christopher Schwartz
NewEurAsia by Christopher Schwartzhackdemocracy
 
iRail and OpenData
iRail and OpenDataiRail and OpenData
iRail and OpenDatahackdemocracy
 
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...hackdemocracy
 
Introduction keynote to HackDemocracy
Introduction keynote to HackDemocracyIntroduction keynote to HackDemocracy
Introduction keynote to HackDemocracyhackdemocracy
 
Обзор Html 5
Обзор Html 5Обзор Html 5
Обзор Html 5GetDev.NET
 
Introduction to hack democracy meetup 2
Introduction to hack democracy meetup 2Introduction to hack democracy meetup 2
Introduction to hack democracy meetup 2hackdemocracy
 
Open Data in the Brussels Region
Open Data in the Brussels RegionOpen Data in the Brussels Region
Open Data in the Brussels Regionhackdemocracy
 
Hack Democracy San Francisco meetup #1 - intro
Hack Democracy San Francisco meetup #1 - introHack Democracy San Francisco meetup #1 - intro
Hack Democracy San Francisco meetup #1 - introhackdemocracy
 
Open data in public-private partnerships
Open data in public-private partnershipsOpen data in public-private partnerships
Open data in public-private partnershipshackdemocracy
 
OpenBelgium.Be
OpenBelgium.BeOpenBelgium.Be
OpenBelgium.Behackdemocracy
 
Microsoft NUI - Surface
Microsoft NUI - SurfaceMicrosoft NUI - Surface
Microsoft NUI - SurfaceGetDev.NET
 
Privacy on the Internet - Init6 InfoSec August Meeting
Privacy on the Internet - Init6 InfoSec August MeetingPrivacy on the Internet - Init6 InfoSec August Meeting
Privacy on the Internet - Init6 InfoSec August MeetingJose L. Quiñones-Borrero
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network securityAPNIC
 

More Related Content

Viewers also liked

Introduction to HackDemocracy Brussels Meetup 3
Introduction to HackDemocracy Brussels Meetup 3Introduction to HackDemocracy Brussels Meetup 3
Introduction to HackDemocracy Brussels Meetup 3hackdemocracy
 
HackDemocracy 4: Open Data in Belgium Introduction
HackDemocracy 4: Open Data in Belgium IntroductionHackDemocracy 4: Open Data in Belgium Introduction
HackDemocracy 4: Open Data in Belgium Introductionhackdemocracy
 
Pirate Party, Wikileaks & the Anonymous
Pirate Party, Wikileaks & the AnonymousPirate Party, Wikileaks & the Anonymous
Pirate Party, Wikileaks & the Anonymoushackdemocracy
 
Online and Offline Activism with the Indignados/Occupy movement
Online and Offline Activism with the Indignados/Occupy movementOnline and Offline Activism with the Indignados/Occupy movement
Online and Offline Activism with the Indignados/Occupy movementhackdemocracy
 
Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)
Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)
Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)hackdemocracy
 
HackDemocracy Brussels 3: Using technology to improve School Choice Procedures
HackDemocracy Brussels 3: Using technology to improve School Choice ProceduresHackDemocracy Brussels 3: Using technology to improve School Choice Procedures
HackDemocracy Brussels 3: Using technology to improve School Choice Procedureshackdemocracy
 
Citizen Media Meetup
Citizen Media MeetupCitizen Media Meetup
Citizen Media Meetuphackdemocracy
 
FairObserver by Fabian Neuen
FairObserver by Fabian NeuenFairObserver by Fabian Neuen
FairObserver by Fabian Neuenhackdemocracy
 
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...hackdemocracy
 
NewEurAsia by Christopher Schwartz
NewEurAsia by Christopher SchwartzNewEurAsia by Christopher Schwartz
NewEurAsia by Christopher Schwartzhackdemocracy
 
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...hackdemocracy
 
Introduction keynote to HackDemocracy
Introduction keynote to HackDemocracyIntroduction keynote to HackDemocracy
Introduction keynote to HackDemocracyhackdemocracy
 
Обзор Html 5
Обзор Html 5Обзор Html 5
Обзор Html 5GetDev.NET
 
Introduction to hack democracy meetup 2
Introduction to hack democracy meetup 2Introduction to hack democracy meetup 2
Introduction to hack democracy meetup 2hackdemocracy
 
Open Data in the Brussels Region
Open Data in the Brussels RegionOpen Data in the Brussels Region
Open Data in the Brussels Regionhackdemocracy
 
Hack Democracy San Francisco meetup #1 - intro
Hack Democracy San Francisco meetup #1 - introHack Democracy San Francisco meetup #1 - intro
Hack Democracy San Francisco meetup #1 - introhackdemocracy
 
Open data in public-private partnerships
Open data in public-private partnershipsOpen data in public-private partnerships
Open data in public-private partnershipshackdemocracy
 
Microsoft NUI - Surface
Microsoft NUI - SurfaceMicrosoft NUI - Surface
Microsoft NUI - SurfaceGetDev.NET
 

Viewers also liked (20)

Introduction to HackDemocracy Brussels Meetup 3
Introduction to HackDemocracy Brussels Meetup 3Introduction to HackDemocracy Brussels Meetup 3
Introduction to HackDemocracy Brussels Meetup 3
 
HackDemocracy 4: Open Data in Belgium Introduction
HackDemocracy 4: Open Data in Belgium IntroductionHackDemocracy 4: Open Data in Belgium Introduction
HackDemocracy 4: Open Data in Belgium Introduction
 
Pirate Party, Wikileaks & the Anonymous
Pirate Party, Wikileaks & the AnonymousPirate Party, Wikileaks & the Anonymous
Pirate Party, Wikileaks & the Anonymous
 
Online and Offline Activism with the Indignados/Occupy movement
Online and Offline Activism with the Indignados/Occupy movementOnline and Offline Activism with the Indignados/Occupy movement
Online and Offline Activism with the Indignados/Occupy movement
 
Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)
Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)
Political Memory - Memopol Toolkit (HackDemocracy Meetup 5)
 
HackDemocracy Brussels 3: Using technology to improve School Choice Procedures
HackDemocracy Brussels 3: Using technology to improve School Choice ProceduresHackDemocracy Brussels 3: Using technology to improve School Choice Procedures
HackDemocracy Brussels 3: Using technology to improve School Choice Procedures
 
Citizen Media Meetup
Citizen Media MeetupCitizen Media Meetup
Citizen Media Meetup
 
FairObserver by Fabian Neuen
FairObserver by Fabian NeuenFairObserver by Fabian Neuen
FairObserver by Fabian Neuen
 
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
 
NewEurAsia by Christopher Schwartz
NewEurAsia by Christopher SchwartzNewEurAsia by Christopher Schwartz
NewEurAsia by Christopher Schwartz
 
iRail and OpenData
iRail and OpenDataiRail and OpenData
iRail and OpenData
 
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
Introduction HackDemocracy Meetup 5: Citizen Platforms for Political Accounta...
 
Introduction keynote to HackDemocracy
Introduction keynote to HackDemocracyIntroduction keynote to HackDemocracy
Introduction keynote to HackDemocracy
 
Обзор Html 5
Обзор Html 5Обзор Html 5
Обзор Html 5
 
Introduction to hack democracy meetup 2
Introduction to hack democracy meetup 2Introduction to hack democracy meetup 2
Introduction to hack democracy meetup 2
 
Open Data in the Brussels Region
Open Data in the Brussels RegionOpen Data in the Brussels Region
Open Data in the Brussels Region
 
Hack Democracy San Francisco meetup #1 - intro
Hack Democracy San Francisco meetup #1 - introHack Democracy San Francisco meetup #1 - intro
Hack Democracy San Francisco meetup #1 - intro
 
Open data in public-private partnerships
Open data in public-private partnershipsOpen data in public-private partnerships
Open data in public-private partnerships
 
OpenBelgium.Be
OpenBelgium.BeOpenBelgium.Be
OpenBelgium.Be
 
Microsoft NUI - Surface
Microsoft NUI - SurfaceMicrosoft NUI - Surface
Microsoft NUI - Surface
 

Similar to Wikileaks: secure dropbox or leaking dropbox?

Privacy on the Internet - Init6 InfoSec August Meeting
Privacy on the Internet - Init6 InfoSec August MeetingPrivacy on the Internet - Init6 InfoSec August Meeting
Privacy on the Internet - Init6 InfoSec August MeetingJose L. Quiñones-Borrero
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network securityAPNIC
 
Acpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using TorAcpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using TorJack Maynard
 
Tor network seminar by 13504
Tor network seminar by 13504 Tor network seminar by 13504
Tor network seminar by 13504 Prashant Rana
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Internet and Securities
Internet and SecuritiesInternet and Securities
Internet and SecuritiesNayan Dagliya
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBarcamp Kerala
 
Unit 1 Introducation
Unit 1 IntroducationUnit 1 Introducation
Unit 1 IntroducationTushar Rajput
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Vibrant Event
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingSamip Shah
 
FreedomBox & Community Wi-Fi networks
FreedomBox & Community Wi-Fi networksFreedomBox & Community Wi-Fi networks
FreedomBox & Community Wi-Fi networksGeekNightHyderabad
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingAmbuj Kumar
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Stephen Abram
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hackingankit sarode
 

Similar to Wikileaks: secure dropbox or leaking dropbox? (20)

Privacy on the Internet - Init6 InfoSec August Meeting
Privacy on the Internet - Init6 InfoSec August MeetingPrivacy on the Internet - Init6 InfoSec August Meeting
Privacy on the Internet - Init6 InfoSec August Meeting
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
 
Acpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using TorAcpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using Tor
 
Tor network seminar by 13504
Tor network seminar by 13504 Tor network seminar by 13504
Tor network seminar by 13504
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORK
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Internet and Securities
Internet and SecuritiesInternet and Securities
Internet and Securities
 
Cyber crime &_info_security
Cyber crime &_info_securityCyber crime &_info_security
Cyber crime &_info_security
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
 
Unit 1 Introducation
Unit 1 IntroducationUnit 1 Introducation
Unit 1 Introducation
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
FreedomBox & Community Wi-Fi networks
FreedomBox & Community Wi-Fi networksFreedomBox & Community Wi-Fi networks
FreedomBox & Community Wi-Fi networks
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hacking
 

Wikileaks: secure dropbox or leaking dropbox?

  • 1. Wikileaks: secure dropbox or leaking dropbox ?? Jean-Jacques Quisquater UCL Crypto Group Louvain-la-Neuve jjq@uclouvain.be January 19 2011 twitter : @_jjq
  • 2. Who I am? Jean-Jacques Quisquater • Engineer in applied mathematics (UCL, Belgium, 1970) • PhD in Computer Science (Orsay, France, 1987) • Scientist full time (1970-2010) • 20 years for Philips, 20 years academics • Professor of cryptography at UCLouvain-la-Neuve, ENS (Paris) • Working about cryptography, security, privacy from 1979 (200 papers, 40 PhD thesis, …) • Doing and applying research in cryptography for protecting easily people, privacy and democracy: – smart card, – electronic Id, – electronic passport, – electronic voting, … • Emeritus UCL (2010-…) and visiting scientist at MIT (2004-…)
  • 3. Mission for today • Explaining in 5 minutes (!) how organizations like Wikileaks can use technology to insure leakers remain anonymous.
  • 4. Mission for today • Explaining in 5 minutes (!) the way in which organizations like Wikileaks can use technology to insure leakers remain anonymous. • Solution: perfect electronic dropbox
  • 5. Basic scheme on the web Hot dropbox info Hot leaker
  • 6.
  • 7. Anonymous dropbox on the web • Internet voting • Auction • Disclosures (Enron, Worldcom, …) • Whistleblowers (« lanceur d’alerte ») • Audit • Suggestion box • Survey, poll • See also tor • …
  • 8. Wikileaks (14/01/2007) • Wikileaks will also incorporate advanced cryptographic technologies for anonymity and untraceability. Those who provide leaked information may face severe risks, whether of political repercussions, legal sanctions or physical violence. Accordingly, extremely sophisticated mathematical and cryptographic techniques will be used to secure privacy, anonymity and untraceability. • For the technically minded, Wikileaks integrates technologies including modified versions of FreeNet, Tor, PGP and software of our own design.
  • 11. Trac(k)ing files • Adding hidden and difficult to remove specific information related to access (time, user, location, …): the EBU model • Adding specific visible information (diffficult to remove, errors, rounded numbers, …) • Watermarking for – Paper, – Map, – Object, – Printer, fax, computer (fonts, yellow dots, …), – Photo, – Text (font, distance between letters, words), – Program, – …
  • 12. Personally identifiable information about users privacy Basic Tools: - Encryption - Anonymizer Services: - ixquick=startpage, … IXQUICK
  • 13. anonymity • refers to the state of an individual's personal identity being publicly unknown.
  • 15. Trace: any information untraceability about the user • internet • PC or internet cafe • files •…
  • 16. Internet traces (tcp-ip v4, v6) • SENDER: – From: IP address – To: IP address – Sent time – IP geolocalisation – Length of message – Data RECEIVER: – Received time • Think about the layers (applications, transport, internet, link)
  • 17. Attacks and threat model(s) • Traffic analysis (encrypted data!) • DoS (denial of service) against main routers for forcing rerouting • Ad-hoc virus, worm, injected javascript (for capturing keys, passwords, censoring (Tunisia), sabotage: stuxnet, …) • Aggregation or linking (same anonymous user?) • Password correlation
  • 18. Who needs protection? http://www.torproject.org/about/torusers.html.en • Normal people for protecting – privacy from unscrupulous marketers and identity thieves – communications from irresponsible corporations – children online; research sensitive topics • Militaries (internet designed by DARPA, tor by NRL, DES by IBM-NSA, …) – Field agents; Hidden services; Intelligence gathering • Journalists and their audience – Reporters without Borders – US International Broadcasting Bureau (Voice of America/Radio Free Europe) – Citizen journalists in China; Citizens and journalists in Internet black holes • Law enforcement officers – Online surveillance; Sting operations; Truly anonymous tip lines • Activists and Whistleblowers – Amnesty international … • Business executives, Bloggers, IT Professionals – http://www.eff.org/issues/bloggers/legal
  • 19. cryptography • Encryption for confidentiality of data • Signature for integrity of data • Key generation, distribution, storage, authentication • Problem: bad implementations and/or use (including SSL or https!) • Most implementations are leaking taking into account the protocols (effective security: x bits?)
  • 20. proxy • Change your IP address into another one • Uses: – Remote use of ressources – anonymity of your IP address • An anonymous proxy server hides the IP address and removes traffic such as: – Cookies – Pop-ups – Banners – Scripts – Referrer information
  • 21. Mixnet (Chaum, 1981) • Mixes enable anonymous communication by means of cryptography, scrambling the messages, and unifying them (padding to constant size, fixing a constant sending rate by sending dummy messages, etc) • Examples: mixmaster, tor • Chaum, “Untraceable Electronic Mail, Return Addresses, and Digital Pseudonym,” Communications of the ACM, 24:2, Feb. 1981
  • 23. Onion routing • http://www.onion-router.net/ • Reed, Syverson, Goldschlag, “Anonymous Connections and Onion Routing,” Proc. of IEEE Symposium on Security and Privacy, Oakland, CA, May ’97, pp. 44-54 • patented by the United States Navy in US Patent No. 6266704 (1998) (current version of tor is not using it)
  • 24.
  • 25. Freenet (Clarke, 1999; Clarke, Sandberg, Wiley, Hong, 2000) • http://freenetproject.org/ (running) • Freenet is free software which lets you anonymously share files, browse and publish "freesites" (web sites accessible only through Freenet) and chat on forums, without fear of censorship. Freenet is decentralised to make it less vulnerable to attack, and if used in "darknet" mode, where users only connect to their friends, is very difficult to detect.
  • 26. Tor • Tor is a system intended to enable online anonymity, composed of client software and a network of servers which can mask information about users' locations and other factors which might identify them. • Use of this system makes it more difficult to trace internet traffic to the user, including visits to Web sites, online posts, instant messages, and other communication forms. • It is intended to protect users' personal freedom, privacy, and ability to conduct confidential business, by keeping their internet activities from being monitored.
  • 27. Tor (Dingledine, Mathewson, Sylverson, 2004) • http://www.torproject.org/ • http://torstatus.blutmagie.de/
  • 28.
  • 29.
  • 31. Tor alternatives • http://alternativeto.net/software/tor/ • http://www.shoutmeloud.com/ultrasurf- your-freedom-opera-tor-freegate- alternative.html • http://www.digitalalchemy.tv/2006/11/psi phon-offers-alternative-to-tor-for.html • http://web.informer.com/tor+alternative • Psiphon: http://psiphon.ca/
  • 32. PGP (Phil Zimmermann, 1991) • Pretty Good Privacy (also GPG) • computer program that provides cryptographic privacy and authentication for data communication • Symantec and openPGP
  • 33. darknet • // black box (a system or device whose contents were unknown) • Isolated network for security purpose (1970) • any closed, private group of people communicating • a collection of networks and technologies used to share digital content • Examples of darknets: peer-to-peer file sharing, CD and DVD copying, key or password sharing on email and newsgroups
  • 34. Main conferences • Design – All security conferences and workshops • Attacks – CCC – Black Hat – Defcon – Usenix security
  • 36.
  • 37. Encryption user computer E, k Encrypted data D, k data data
  • 38. Steganography user computer E, k Mixed data D, k Secret data Secret data Clear data
  • 39. steganography • Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message.
  • 41. Steganography: example Removing all but the two least significant bits of each color component produces an almost completely black image. Making that image 85 times brighter produces …
  • 42. Steganography: example Removing all but the two least significant bits of each color component produces an almost completely black image. Making that image 85 times brighter produces …
  • 43.
  • 44.
  • 45. Haystack (SFO) • Haystack was a partially completed proprietary network traffic obfuscator and encryptor that was being designed to circumvent internet censorship in Iran.
  • 48.
  • 49. Ethical problems • Use by opponents (which ones?) • Use by terrorists • Use by « pirates » (p2p networks) • ACTA? (Tor not legal in some countries?) • What to do?
  • 50. pdf file (versus word) • Pdf is not an easy solution for the receiver… • Very dangerous due to the possibility of hidden and malicious executables