The controversial WikiLeakS.org website (no longer the current website, this now only redirects to a partial mirror of the original website) is still no longer accepting any submissions of leaked documents from ordinary, local or regional whistleblowers.
They and their mainstream media collaborators, have instead, been busy milking the vast amount of secret information which seems to have come from the imprisoned, but as yet unconvicted, low level US Army intelligence analyst in Iraq, Bradley Manning and they have survived various legal and illegal attacks on their computer and internet infrastructure as a result.
There is a new WikiLeakS.CH website which now boast over 1600 mirror websites, the setting up of which has , incredibly, been done by getting gullible people to send off an unencrypted web form with the volunteer's computer login and password details, in the clear, for various government agencies, ISPs and criminals to snoop on and intercept .
Neither WikiLeakS.CH nor any of its mirrors is running any working, leaked document submission system, so the news that a new website, called OpenLeaks.org is set to launch on Monday is quite interesting,
However so are the other alternatives such as BrusselsLeaks.com, or BalkanLeaks.eu, or WikiSpooks.com, or the comparatively venerable Cryptome.org, or the Indonesian IndoLeaks.org
Anybody thinking about using any of these websites to contact journalists, or to upload whistleblower leak documents, should firstly take some or all of the anonymity and security precautions which you can find at our website ht4w.co.uk - Technical Hints and Tips for protecting the anonymity of sources for Whistleblowers, Investigative Journalists, Campaign Activists and Political Bloggers etc.
Some Spy Blog Questions, Analysis and Opinion on these whistleblower websites:
OpenLeaks.org
This site which is apparently to be run by some of the disgruntled WiikiLeakS.org technical staff is more modest in its aims, but it still faces the same sort of questions which WikiLeakS.org refused to answer satisfactorily since its inception.
See this detailed list of Questions, posted on the long running WikiLeak.org blog (no "s"), which has been examining the ethical and technical issues surrounding the WikiLeakS.org project, which the journalists and other commentators who will be trying to interview OpenLeaks people next week, should really be asking about this new project:
Will OpenLeaks learn from the mistakes and successes of WikiLeakS ?
e.g.
* How will a whistleblower know if their "leak" is likely to get published or not ?
* If not, then why would they use OpenLeaks at all ?[...]
What protections will there be against Communications Traffic Data Analysis to protect the individual journalists who may have access, or may be strongly suspected of having access to such leaked material ?
If, for example, someone were to upload some alleged real, life threatening secrets, perhaps a list of names, job titles, home addresses, photos , fingerprints, DNA profiles etc. of intelligence or counter-terrorism agency officers or undercover police officers, then how will OpenLeaks protect the identities of individual journalists who had access to cryptographically protected "part of the system" ? Communications Traffic Data analysis (i.e. which computer logged into the system at which time and what size of files were transferred etc.), could identify individual journalists, who might then be put under intrusive surveillance or harassment or arrest, even if the encrypted content could not be read by third parties ?
[...]
- How many, if any, of the OpenLeaks team will declare their involvement and support of the project publicly ? Who are they ?
- Will OpenLeaks be less aloof and arrogant and Twitter dependent than WikiLeakS.org ? (Despite having a Wiki and a Website and for a time a "blog" and email as methods of publishing detailed Press releases, WikiLeakS.org favoured short Twitter messages which, for complicated issues, come across as curt and arrogant. These Tweets were mixed with various ad hominem attacks and gripes against opponents)
- Which of the several already registered domain names using OpenLeakS / OpenLeak etc . will this new website actually use from Monday ?
It appears from their Twitter feed,
https://twitter.com/openleaksorg
that at least one of the website Domain Names is
- Will there be multiple physical mirrors of the content as well as multiple domain name DNS aliases pointing to the main website ?
- Will OpenLeaks use secondary and tertiary etc. DNS providers,in different legal jurisdictions, so as not be vulnerable to legal or illegal attacks on a single DNS provider , something which WikiLeakS.org was warned about, but chose to ignore until very recently ?
- Will OpenLeaks eschew the stupid WikiLeakS.org policy of "security through obscurity" and embrace Kerckhoffs' Principle ? i.e. "a cryptosystem should be secure even if everything about the system, except the key, is public knowledge."
- Will OpenLeaks publish a high level technical / security / anonymity infrastructure architecture overview ? (WikiLeakS.org never did this, relying on buzzwords and names of open source security / anonymity tools which they never properly explained the specific risks of their particular implementation of. They often actually never used (e.g. Freenet) , or stopped using some of these claimed technologies after a while, for no good reason (e.g. the use of PGP encryption / digital signatures.)
- Will OpenLeaks actually use a proper SSL/TLS Digital Certificate for https:// encryption, especially of any contact or submission web forms ? (WikiLeakS.org started off ok with one, but failed to replace it when the MD5 digital signature weakness was made public, then failed to renew it, then re-introduced a Digital Certificate for a while, but have now abandoned this again)
[UPDATE 30 Dec 2010: https://www.OpenLeaks.org does now sport a proper Digital Certificate, from GlobalSign, which is what WikiLeakS.org eventually got around to using this year, after they incompetently let their old (potentially weak) Digital Certificate expire. N.B. WikiLeakS.CH still does not offer any such encryption at all.]
- Will OpenLeaks publish and use one, or more, Pretty Good Privacy (PGP) public encryption and digital signing keys ? (WikiLeakS.org initially, after some prompting, published a PGP Key, then allowed it to expire after a year and then claimed that they were developing some sort of alternative encrypted email system, which never appeared )
- Will OpenLeaks publish a Tor Hidden Service to allow more anonymous file uploads ? (WikiLeakS.org did start off with a Tor Hidden Service option, but abandoned it a year ago, although there was a brief re-appearance of a different one in July)
- Will OpenLeaks accept postal submissions and / or financial donations ? (WikiLeakS.org did publish a list of "safe" PO box addresses, including one in Kenya, which they managed to continue publicising for financial donations, even after there was physical a break in to the premises and even after they had inappropriately only used Twitter to warn off some, but not all, people, from using it any longer)
- What feedback will there be to an anonymous whistleblower that their submission or communication has actually been successfully received ?
- Will OpenLeaks automatically or semi-automatically sanitise the tell tale meta data , which is embedded in so many Microsoft Word word processor documents or Excel spreadsheets etc. or in Adobe .pdf files or in digital photos or in videos or audio clips etc. ? (Remember that sometimes this meta data does gives clues as to the authenticity of the original documents, but it can also specifically betray, or at least narrow down the search, for an otherwise anonymous whistleblower)
- How will OpenLeaks raise any funds ?
- What will they do to protect the anonymity of financial contributors ?
- What level of financial transparency and auditing of the finances will there be ?
- Which media organisations and government agencies will have pre-publication access to the submitted material ?
- Why should OpenLeaks be any more trustworthy than WikiLeakS.org ?
Spy Blog opinion:
We will they fix or repeat some of the technical mistakes that the ex-WikiLeakS.org
people should be familiar with ?
Until they provide Answers to most of the Questions above, they cannot be yet be trusted by whistleblowers who wish or need to remain anonymous (at least for the time being).
All of these Questions also apply to a couple of new "regional" Whistleblower Leak websites, which have been inspired by the WikiLeakS.org example, but which are independent of it.
BrusselsLeaks.com
The European Union Parliament and the European Commission, its Byzantine bureaucracy, based in Brussels and in Luxembourg, is the heavily influenced by leaked copies of documents produced by itself and by various vested interest lobbying firms and organisations.
The new BrusselsLeaks which makes use of a hosted WordPress blog, with a WordPress Digital Certificate encrypted submissions form.
However this only protects the content of the data in transit, and it may end up unencrypted on the WordPress blog servers, and may be retrieved insecurely via , say, FTP, by the BrusselsLeaks team.
There is also a Hushmail Encrypted Web Form for document uploads.
https://forms.hush.com/brusselsleak
which should provide securely encrypted uploads and storage and retrieval of whistleblower leaked documents, provided that a Canadian Court Order is not obtained by any European Union investigating authority.
There is no use of Tor Hidden Services etc. for complicating the work of Communications Traffic data Analysts, who may be trying to track down the anonymous whistleblower source.
How can people trust you?
Most of us have been in Brussels for a long while working in various capacities for media outlets. Nobody here is affiliated with an industry or other lobby group.
What we see all the time (and we're sure you've seen) are people working for lobby groups or powerful institutions who want to get information out there, but can't. Even if they had personal connections with us, they just didn't feel comfortable passing on documents. And sometimes we did get the documents, but couldn't get them out there because our known personal connection to 'that person' might put them in danger (i.e. job security).
We thought for a while it'd be a good idea to set up a website to allow people to anonymously upload files or send tip-offs on issues which we could use to either publish ourselves or send on to relevant people.
Wikileaks - something we have no connection with other than ideals - showed the power of this. As we say on the website, we are not necessarily expecting outrageous revelations but there is a lot of important information out there - information which might help an NGO explain why the European Commission is failing to act on something in particular, for instance. This isn't necessarily all about media; it's about getting documents out there to help society. That's what is important to us.
The people we know trust us personally, and if the website fails then so be it, we can carry on.
How do you know we are not a lobbyist or political group? We're not and in the coming months that should become plainly obvious. We're paying for the website and encryption tools out of our own pockets, and we all have (bar one person) full time jobs outside of this.
WordPress is based in the USA as is the legal jurisdiction for the BrusselsLeak.com domain name, which should act as a slight extra legal hurdle to jobsworth bureaucrats and policemen within the European Union who may try to force the website offline through illegal threats without a Court Order etc.
BrusselsLeaks have a Twitter feed, which can be accessed vuia SSL/TLS if you manually choose https:// . just like the WordPress hosted blog.
https://twitter.com/brusselsleaks
Spy Blog opinion:
Although they have yet to publish any leaks, BrusselsLeaks are worth following to see if they come up with important European Union leaks, which could allow public scrutiny and perhaps opposition to various vested interests' manipulation of the European Commission and European Parliament to develop.
Hopefully it will be a useful addition to the documents obtained and analysed by StateWatch.org
The use of properly encrypted web forms, hosted outside of the European Union is to be commended.
Some more thought and advice about Communications Traffic Data Analysis avoidance techniques is needed.
Publishing a separate PGP Public Encryption and Digital Signing Key which could be used in addition to the web form, would be a useful reassurance
BalkanLeaks.eu
Slightly more technologically astute, necessarily so , given the authoritarian Communist secret police mindsets of many of those still in power in the region, is https://BalkanLeaks.eu.
This is based in Bulgaria, with webservers in Canada and Domain Registration in the USA. They insist on submissions being made through a Joomla based website running a Tor Hidden Service.
Dear friends,
Following the example of the whistleblowers site Wikileaks we opened this site to promote transparency and fight the nexus of organized crime and political corruption in the Balkan states.
We are deeply convinced that we're not alone in this battle. There are plenty of people out there that want to change the Balkans for good and are ready to take on the challenge. We're offering them a hand.
If you have any confidential documents related to political, criminal or financial topics and you want to share them with the press in a secure, anonymous way, you can use our secured and encrypted upload server. We will review the documents and publish them after checking the information.
To submit just follow those simple steps:
1. Download and install the Tor Browser Bundle for your system.
2. Launch the Tor browser and connect to our tor enabled server: http://r52mjuw7bkfbgtht.onion/upload/index.php
3. Wait! Tor is secure, but slow :-( If it really takes too long to join the page reload the tor browser.
4. Upload the files and disconnect.
Tor is working in such a way that nobody, including the administrators of the site can't guess who is the real submitter.
Tor offers a pretty high level of security and anonymity, but if you wish to do even better follow the recommendation:
- do not use your work computer for submitting;
- use a public, password free WiFi point;
- use a VPN connection to a server outside your home country.
Please, respect the following requirements for your uploads:
* Upload only documents which are either:
* not available in the public space or
* are in the public space but reveal data not known from previous journalistic investigations.
* Please, join a short description of your uploads;
* Name and number the documents in a comprehensive way;
* Do not upload opinions and allegations without document proofs.Please, prefer the PDF format.
Thank you for your contribution.
The Balkan Leaks team
By using Tor end to end encryption, there is no need to run a SSL/TLS Digital Certificate encrypted web form, as this does not add any extra encryption over and above that of the Tor Hidden Service.
[UPDATE 27 Dec 2010: This website did not originally have a Digital Certificate , but it does have one now:
https://www.Balkanleaks.eu"]
Hopefully the leaked data is encrypted once it is on the BalkanLeaks.eu web server and can be retrieved securely as well.
They have already published some whistleblower leak documents available for download, translated into English and French e.g. The State-Mafia simbyosis in Bulgaria (.pdf)
Spy Blog opinion: worth following for Bulgarian and perhaps other Balkan state leaks and news.
They do seem to be taking Communications Data Traffic seriously, hopefully they also use encryption once the data is on their web server.
Publishing a separate PGP Public Encryption and Digital Signing Key which could be used in addition to the web form, would be a useful reassurance.
A Twitter account, used properly, to publicise newly published documents would be helpful to busy journalists, bloggers and politicians etc. It would also provide another communications channel to call for help if the main website is under legal or illegal attack, as WikiLeakS.org have shown.
WikiSpooks.com
is run by Peter Presland of Sabretache blog fame, with some friends and volunteers.
WikISpooks.com seeks to publish documents and articles possibly on the political fringe, challenging the accepted "official version" of events and news i.e. there could well be some "conspiracy theory" stuff, but that does not mean that it cannot be used by "ordinary" whistleblowers.
Just like the original WikiLeakS, this website does actually allow the public to comment on and analyse the documents and articles it publishes, using the same software as Wikipedia.
They also now have a proper Digital Certificate which protects the whole website if you use the https:// prefix rather than http:// (just like hosted WordPress blogs do)
This is especially important for the WikiSpooks Anonymous Submissions form.
https://wikispooks.com/anon/anon-ul.html
The do publish an Anonymous Uploads received page, to show whistleblowers etc. that they have succeeded in uploading something, although there should perhaps be some warnings about not revealing too much in the name(s) of the uploaded file(s).
https://wikispooks.com/wiki/Anonymous_Uploads_Received
WikiSpooks do publish a PGP Public Encryption Key [PGP Key ID: 0xE1CCF96F].
They offer some sound advice and warnings regarding Anonymity etc. online. https://wikispooks.com/wiki/WikiSpooks:Anonymous_Uploads Although seemingly aimed at a United Kingdom based, English speaking audience, the website is hosted in the Republic of Ireland with Domain Name Registration in the USA, so again, there is an extra legal hurdle for officious bureaucrats and shyster lawyers in the UK, if they attempt to censor it. Spy Blog opinion: Probably the closest to the original WikiLeakS.org concept, allowing for wiki style user comments and analysis. Above average use of encryption. Could be useful for United Kingdom based whistleblowers and journalists. A Twitter account, used properly, to publicise newly published documents would be helpful to busy journalists, bloggers and politicians etc. It would also provide another communications channel to call for help if the main website is under legal or illegal attack, as WikiLeakS.org have shown. Cryptome.org The veteran New York architect John Young has been publishing Cryptome.org since about 1996. There are a couple of mirrors of the content archive, which is also available on DVD for a moderate fee. This website used to garner media attention now and then, for controversial whistleblower leaks or alleged disinformation e.g. alleged lists of the names of MI6 secret agents etc. John Young was approached to be part of the WikiLeakS.org team, but he became disenchanted with it early on, and he leaked internal WikiLeakS.org email discussions onto his Cryptome.org website. Standing firmly on his 1st Amendment to the US Constitution rights, John Young has resisted censorship attempts by his own and foreign governments. His website has suffered from illegal hacking attacks and denial of service attacks, but the most serious threats to it being online have come from the activities of corporate lawyers from Microsoft etc. who have threatened expensive legal action against Internet Service Providers and Domain Name registrars, thereby temporarily succeeding in shutting down Cryptome.org, due to the publication of leaked documents describing their corporate Law Enforcement cooperation policies for services like Hotmail etc. John Young does publish a PGP Public Encryption Key for jya@pipline.com [PGP ID: 0x58A4971E], but he does not bother with Digital Certificates or web submission forms. http://cryptome.org/other-stuff.htm The contact email address is currently: cryptome@earthlink.net There is a Twitter account, https://twitter.com/cryptomeorg but this does not seem to get updated every time a new article is published on Cryptome.org. He usually , but not always, censors personal names from emails sent to him, but he always publishes in full, attempts at censorship from lawyers and government agents. He also delights in challenging real or alleged journalists to prove that they have actually bothered to read his website, before they ask stupid questions when interviewing him and he usually publishes any emails or transcripts of phone calls or video interviews etc. Mixed in with obscure public domain US Government documents, photos and maps of supposedly sensitive US Government buildings (which the Russians and Chinese etc. know about from satellite imagery etc.) there are few whistleblower leak documents , but also rather too much anonymous ad hominem attacks on, say, WikiLeakS, or on "intelligence agencies", from anonymous and very often unreliable sources, some of which could be John Young himself. Several documents and allegations regarding terrorist and intelligence agency alleged double agent and informer activities Northern Ireland have been published on Cryptome.org Spy Blog opinion: Almost any of the WikiLeakS.org leaks could have been sent to Cryptome.org, and, if published, would have been seen and used by quite a few mainstream media journalists. However, John Young is at least as egocentric and (with good reason) as paranoid as Julian Assange, so publication is not guaranteed. Any anonymous whistleblower would have to take their own anti Communications Traffic Data precautions in contacting Cryptome.org. IndoLeaks.org This launched last Friday 10th December 2010, using a USA registered Domain Name and the services of Google Docs and Blogger and Gmail and has already published several "leaks" e.g. a now declassified Transcript of a conversation between the Indonesian dictator General Suharto and US President Gerald Ford (.pdf), together with Henry Kissinger, just before the Indonesian invasion of East Timor in 1975,.from the Gerald R. Ford Library - the sort of document obscure which is often published by Cryptome.org and which would otherwise be ignored by the mainstream and even alternative media. The IndoLeaks.org About Us page (translated via Google), does draw some clear lines about what will not get published on IndoLeaks.org e.g. [...] You can also share with us, with contact through indoleaks@gmail.com
So IndoLeaks.org have a higher moral standard than WikiLeakS.org, which has published this sort of personal data.
- Indoleaks.org NOT responsible for the use of the published document.
N.B. IndoLeaks.org does not currently point to the web blog, only www.indoleaks.org does
There is also no SSL/TLS Digital Certificate to protect browsing and downloads of possibly controversial or sensitive whistleblower leaked documents.
If Gmail is used with https:// SSL/TLS encryption, then this will provide a high degree of confidentiality regarding what is sent to IndoLeaks.org..
The use of Gmail will provide less than zero protection from Communications Traffic Data Analysis, since that is what Google does commercially, all of the time.
The operators of the indoleaks@gmail account / blogspot account, should be careful to disable the Google tracking cookies etc., after each time that they access this account, as otherwise they will very likely identify themselves to Google and their customers (including Governments) when visiting other websites.
There is a Twitter feed https://twitter.com/indoleaks which seems to have generated quite a lot of interest from the media and other commentators.
Spy Blog opinion::
Trusting Google with everything seems foolish for a whistleblower website.
IndoLeaks.org should provide, or at least link to, advice about Tor, open WiFi systems, VPNs etc. to help its sources protect their own anonymity.
Publishing a separate PGP Public Encryption and Digital Signing Key which could be used in addition to Gmail, would be a useful reassurance of a commitment to protect anonymous sources.