On 5/16/13 12:05 AM, Eleanor Saitta wrote:
Which parts of the Dead Drop architecture do you think are unnecessary
for a leaking platform?
First of all "leaking" is not necessarily "whistleblowing" (it's like
cracking vs hacking "wording debate" :P) .
The act of protecting someone identity that "speak up" within a specific
topic (for public interest) can also be "whistleblowing" or "speaking
up", depending on the area of (media, activism, corporation, public
administration) and security context (risk of retaliation via life
threatening vs. legal threatening).
If i would had to take actions on DeadDrop i would simplify as follow:
- Make everything work only with 1 server
- Make everything to be installed with few command lines
- Don't use custom-modified-software but only standard one (that you can
update with standard linux's packaging procedures)
- Find a tradeoff between the need of "efficiency" and "security" for
the journalist (there may be many different ways) not forcing them to go
trough a custom, read-only, secure viewing workstation for all submissions
Those actions mostly for the following reasons:
- The "Secure Viewing Workstation" is unrealistic
A journalist (or a group of journalist) need to work on received
material "online" and not "offline" because they need to search
databases, browse google and apply investigative techniques to
investigate on the topic.
And do it in an efficient way, because time is always a scarce resource.
Additionally they need, for efficiency purpose, to "collaborate" on the
received material and to do so there are excellent platform for sharing
it like http://www.DocumentCloud.org or DMS (document management system)
like Alfresco (www.alfresco.com/) that can help extracting text,
applying semantic analysis, collaborating on documents.
A that kind of process are to be done "online"
.
So i really think it's unrealistic to handle dozen or hundreds of
submission per month by copying received data offline, decrypting and
analyzing it offline trough a different workstation.
IMHO in a realistic workflow, at first the journalist "evaluate" the
data received quickly, identifying if it's spam or ham, define how
securely he should handle that data, and then will apply "appropriate
operational security procedure" depending on the data received.
- Too Many Servers
Looking at
https://raw.github.com/deaddrop/DeadDropDocs/master/Deployment.jpg we
see that there are 4 servers, 1 switch, several dedicated hardware for
operational security (external encrypted hard drive) with a quite
complex installation procedure
https://github.com/deaddrop/DeadDropDocs/blob/master/README.md .
This increase the cost and effort required to startup a whistleblowing
initiative in terms of hardware, software, services and skill set required.
- Too Much Customized Software
Looking at the installation procedure there are several customized
procedures and software such as using "Hardened GRSecurity" linux
kernel, requiring to manually maintain security update for all kernel
release, and manual setup of a Certification Authority (with OpenSSL),
requiring manual handling and management of certificate via command line.
Anyhow "DeadDrop" has it's own design, it's cool, is *extremely*
paranoid and i like it.
I just find it overkill for a general use.
--
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - http://tor2web.org
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
