GloabLeaks ESC2011

GlobaLeaks
The Open Whistleblowing Framework

Sunday, September 4, 2011

Agenda

• Why does GlobaLeaks exists?
• How does it work?
• Who will use it?
• How can you hack on it? Join GlobaLeaks!
• # ./startglobaleaks


ARG*:
GlobaLeaks Organization
• There is no hierarchy of power
• No Ofﬁcial Role
• Every member of GlobaLeaks is A Random
GlobaLeaks Contributor|Developer|
Spokesperson|Advocate


Why does GlobaLeaks
exists
Why we want to change the world into a better place


Motivations

• We wish to make this world a better place
• We strive to increase transparency and
accountability in our society


Existing Solutions
• The existing software lacked basic privacy-
aware (anonymity) and security features
(encryption).
• Existing projects are less open that they
want to make people believe.
• Only commercial software or outsourced
WhistleBlowing services


Research on WB
• We started a research a
research on Whistleblowing
on Dec 2010

https://leakdirectory.org

SHA Fingerprint:
2F 78 1A E7 34 32 44 35 1D 68 6A DE B7 83 58 F6 11 41 BC E0


The WB ecosystem


So what’s
Whistleblowing?

• A whistleblower is somebody that informs
of illicit activity.
• Activates citizens in their own local politics
• Activate people in their global view


Active citizenship
“... which of two common types of character,
for the general good of humanity, it is most
desirable should predominate — the active, or
the passive type; that which struggles against
evils, or that which endures them; that which
bends to circumstances, or that which
endeavours to make circumstances bend to
itself.” John Stuart Mill, "Representative
Government" (1869)


Transparency and
Accountability
• People should start demanding
transparency and enforcing it with
GlobaLeaks.
• Corporations and governments will
understand the need to be more
transparent


How GlobaLeaks
works
How we plan to change the World


The actors involved in
GlobaLeaks

• The Whistleblower
• The Targets
• The Node Administrator


Whistleblower

• An Active citizen that is aware of some
malpractice and wrongdoing
• She/He will notify the GL node of such
information


Targets

• She/He is the person responsible for
analyzing the material
• No consent
• Diversiﬁed actors as incentive


Node Administrator

• The person running GlobaLeaks software
• Choose the target list
• Choose the goals and objective of ther
activities
• Behave depending on the context and goals


Interaction
Audience
WhistleBlower Submission

Output
pre
NGO ss

download
Node
Administrator
Targets
node
• the node
administrator notiﬁcation
select a list of
targets • A Tulip is created


Notiﬁcation (TULIP)

• Temporary Unique Link
Information Provider

• The means of
communications
between the target and
WhistleBlower


TULIP

• Expires after a fixed amount of downloads
and time
• Is unique to every target/material
• The data can be stored inside a flexible and
configurable container (see local storage,
FTP, Dropbox,Tahoe-LAFS, etc.)


TULIP notiﬁcation

• Flexible and expandable notiﬁcation system
• email, twitter, facebook, SCP, ticketing
system


TULIP receipt


GlobaLeaks anonymity

• Tor Hidden Services for pubblishing
• Protection of WhistleBlower and Node
maintainer
• Tor client for notiﬁcations


GlobaLeaks security
• Authentication
• TULIP based authentication
• optional password
• Encryption (optional)
• ZIP AES, PGP container
• Applies to data and notiﬁcation
• Security
• optional metadata cleanup facilities (MAT)


Target - Whistleblower
interaction

• Send and receive comments
• WhistleBlower is able to upload more
material regarding a submission
• Secure JS based chat system?


Who will use
GlobaLeaks
Different ways of using GlobaLeaks...
...The Swiss Army Knife of Whistleblowing


Media

• Media outlets, Magazine and Journalism
associations can setup a WB interface
• Collects Anonymous report by default
• Two real world use cases


Transparency Activism (1)
• NGO and informal activism organisations
• They will promote the GL node
• They will only promote the GL node and
others will analyze the data
• Advocacy on the importance of
Transparency and accountability
• Corruption spotting

Transparency Activism (II)
• Break the three monkey principle


Private Corporations
• Important tool to be integrated within the
corporate organizational model
• Typically managed by internal audit
• Accountability mandated by the law
• Sarbanes-Oxley Act (USA)
• Dlgs 231 (Italy)

Public Agencies

• Internal and external public WB services
• USA IRS, US SEC, EU Antitrust
• Involve citizens into spotting tax evasion,
market manipulation, corruption,
malpractice in health and environment


Ways to publish a
GlobaLeaks Site
Different ways of bringing online a GlobaLeaks site
depending on how you want to use it


Pure Hidden Service
• Pros

• Submission is highly secure.

• Does not rely on legacy technologies such as
SSL.

• DDOS protected.

• Location of every network entity protected.

• Requires to setup only one device.

• Cons

• Submitters must use a Tor client.


Hybrid: HS + tor2web
• Pros
• Location of the backend storage server
protected.
• Backend DDOS protected.
• Does not require clients to install any
software except a browser.
• Cons
• Relies on legacy technology such as SSL.
• The tor2web node can be targeted by a
DDOS or SSL man in the middle.

Web only solution
• Pros
• Does not require clients to install any
software except a browser.
• Requires to setup only one device.
• Cons
• Relies on legacy technology such as SSL.
• The location of the server is disclosed.
• It can be targeted by DDOS attacks and
MITM.
• One single point of failure.

WTF!?
... Or, how will we change the world.


The Tulip movement
• The WB gives TULIPs
out to targets

• This is a gift to
humanity

• TULIP is also used as an
acronym in Calvinism

• Flower power leads to
open and transparent
society.


How can you hack on
it ?
Practical way to start hacking on GlobaLeaks, have lots
of fun, drink lots of wine and taste good Italian food


Launchpad and Bazaar
• Seif, hellais bitch, recommended it, but it’s a bit of PITA.
• send him emails for help on bzr
(seif@globaleaks.org)
• Install bazaar, is the versioning system
• register your user in http://lauchpad.net
• we’re http://launchpad.net/globaleaks
• check the blueprints:
https://blueprints.launchpad.net/globaleaks


Technologies

• Python
• web2py (http:///web2py.org/book)
• MVC model
• Secure by default against web attacks
• Object Oriented


Delivery

• Self contained .exe
• Self contained .app
• Drag and drop install experience
• Even non techie people will run it.


and now...


brace yourselves.


# ./startglobaleaks


Questions?


GloabLeaks ESC2011

Recommended

Recommended

More Related Content

Similar to GloabLeaks ESC2011

Similar to GloabLeaks ESC2011 (20)

Recently uploaded

Recently uploaded (20)

GloabLeaks ESC2011