Recently in Protecting Authors and Analysts Category

WikiLeakS.org has a new IRC chat setup https://chat.wikileaks.org

[hat tip to IRC user "Odin" for spotting a typo in a previous reference to the old IRC system]

The new WikiLeakS.org Chat Page still claims that this is

(also good for safe interviews with anonymous sources).

which is simply not true of IRC or any other "live" chat or messaging system which is likely to be subjected to Communications Traffic Data Analysis by intelligence or law enforcement agencies.

Unless the anonymous whistleblower or potential whistleblower, takes extra precautions, then all of these systems could easily betray his or her identity, regardless of the fact that the content of what they type has been strongly encrypted.

The new IRC chat URL is now

https://chat.wikileaks.org/

or

ircs://chat.wikileaks.org:9999/wikileaks

Instead of the old self-signed Digital Certificate, which they used from January 2010 on httpps://secure.wikileaks.org:9999, they have now installed one from the same commercial Certificate Authority (GlobalSign nv-sa ) which is used for the htps://sunshinepress.org Wikileaks Upload web form

chat_wikileaks_org_dc.jpg

To be consistent and to help too establish trust in this Digital Certificate in case of Man--in-the-Middle attacks, WikiLeakS.org should really publish the cryptographic hash fingerprints
for this certificate, as they have done with the httpps://sunshinepess.org web pages

N.B. they should also have published the hash fingerprints on an actual WikiLeakS.org web page, since very few people will have heard of sunshinepress.org.and some of them will, correctly, be suspicious of it.

Since WikIleakS.org have not yet done so, here are the hash fingerprints for the benefit of web search engines queries:

https://chat.wikileaks.org
Serial Number: 1000000000129DC536192
SHA1: 8E:15:E9:2E:39:6F:F8:32:8B:49:A1:F3:E2:E3:14:AF:10:2A:B4:42
MD5: 43:EB:23:08:AF:E2:14:87:FC:DA:A3:43:F0:60:93:AD

IRC should not really be the primary method of contacting the WiiKiLeakS.org technical staff.

Perhaps as a result of the recent publicity in Wired magazine about their broken security technology promises and systems, which this blog has been commenting on for a while, WikiLeakS.org now appear to have brought back their SSL / TLS session encrypted web form, for "secure" Uploads of electronic documents to the website..

wl_upload_form_1.jpg

No announcement or explanation or apology

Typically this has been done without any explanation or apology, on the main web site or via the Wikileaks Twitter propaganda broadcasts or press release emails.

Neither has there been any announcement or discussion of this major development on the as yet unused new Official Wikileaks Blog:

This blog is to discuss technical or community issues related to WikiLeaks and Sunshine Press that do not have a natural fit on the main WikiLeaks pages.

Note that the word "blog", like the word "wiki", has been redefined in WikiLeakS.org's Orwellian newspeak - they really mean "another channel for propaganda broadcasts, which does not allow any feedback via comments from the public", the very opposite of their usual meanings.

As always with WikiLeakS.org, there is still no clear explanation of the advantages and disadvantages or actual risks to your anonymity of using this re-launched and modified document submission method, if you are a potential whistleblower.

Worryingly, there could also be hidden tracking of the IP addresses and other web browser details of each upload submission with this new Upload Form. (see below)

Still no SSL encryption for Downloads, as there used to be

There still does not appear to be any re-introduction of the SSL / TLS encrypted web session Download option on the couple of thousand whistleblower leaked document pages, as there used to be. The only options are still the unencrypted "File" and the bittorrent Peer to Peer options "Torrent | Magnet ", which are likely to be blocked in many places.

N.B. despite the hype, there has never been "over a million" documents published on WikiLeakS.org as various media reports have claimed,
a misconception which WikiLeakS.org have deliberately never corrected.

The new Wikileaks Upload form

The new web submission form links from the main WikiLeakS.org website, as before, but instead of going to https://secure.wikileaks.org the new web form is at

https://sunshinepress.org

A positive point is that they do publish the Digital Signature hashes which correspond to this
correspond to the new Digital Certificate:

Before submitting anything verify that the fingerprints of the SSL certificate match!
SHA256 85:C3:77:8E:7F:BC:96:42:CF:EE:03:B0:AC:4A:2A:26:15:18:CB:50:41:EC:7A:2A:CC:9F:56:60:67:94:04:7E
SHA1 68:C3:4B:3D:05:7A:53:E3:8C:FE:71:F1:30:3D:8A:AD:8E:33:0A:76
MD5 4B:6F:6A:D8:A2:29:7F:06:F3:4F:33:EE:74:32:1C:F8

The laudable intention is to provide some sort of authentication that this data file upload form is being run by WikiLeakS.org, but not for the first time, WikiLeakS.org have made a mistake with the fundamental trust model.

However WikiLeakS.org are establishing the chain of trust from the wrong place - the new Digital Certificate and its cryptographic hash "fingerprints" help to verify that this is a sunshinepress.org web page, but they do not verify that it is a wikileaks.org one.

The Upload Form almost certainly is being run by WikiLeakS.org, only because those of us who are familiar with the history of WikiLeakS.org and who have carefully explored that website, will notice that that the WikiLeakS.org Contact Page now exclusively publishes contact email addresses using

@sunshinepress.org

The sunshinepress.org domain name has been a "cover name" since the beginning of the project and has been used to help collect financial donations.

Given the risks of DNS poisoning or Man-in-the-Middle attacks, WikiLeakS.org should have published these hash values on a WikiLeaks.org web page, certainly not just on the unfamiliar to most people, sunshinepress.org one.

Anyone familiar with fake internet banking "phishing" websites should have noticed this error.

The web form retains what may be the the original submission system's delayed publication / embargo request facility.

The old scheme used to explain that there was a deliberate, random delay between submission and publication, in order to help to confuse Communications Data Traffic Analysis, but perhaps, like so much else, this was not true, and just relied on the editorial approval process to introduce a delay.

It is unclear if any of this still applies with the new Upload Form.

Making a hash of the footnote

The footnote which repeats the SHA1 cryptographic hash of the Web Server's Digital Certificate, which appears on each of the subsequent pages during the data file upload process, is a bit confusing.

Each of the Leaked Document pages publishes, from the previous "secure" submission system is published with a cryptographic hash of the file which was uploaded e.g.

Cryptographic identity SHA256 27b41de6409afc666abd12e65de417439a78b94dbe37bfd601f02e531a2f15a3

but without giving or pointing the website visitor or the original whistleblower to any tools to use this "fingerprint" to actually verify that the file being downloaded has not been tampered with or corrupted.

Similarly, the weaker but still adequate SHA1 hash on the footnote of Upload Form pages does not actually prove that the content of each web page it appears on has not been tampered with or corrupted - it would have to be a Digital Signature for each individual page to do that, using something like PGP (which WikiLeaks.org are stupidly still boycotting).

Courage is contagious.
SHA1 68:C3:4B:3D:05:7A:53:E3:8C:FE:71:F1:30:3D:8A:AD:8E:33:0A:76

At first glance it appears to be a hash of the words "Courage is contagious", which it is not. (it is debatable if the slogan is true or not).

GlobalSign Digital Certificate

The new Digital Certificate is from a recognised commercial Certificate Authority, GlobalSign nv-sa unlike the self signed one used by the WikiLeakS.org IRQ IRC chat server.

wl_digital_certificate_1.jpg


CN = GlobalSign Domain Validation CA
O = GlobalSign nv-sa
OU = Domain Validation CA
C = BE

[...]

CN = sunshinepress.org
O = sunshinepress.org
OU = Domain Control Validated
C = SE

The GlobalSign Certificate Authority is based in Belgium, which may make it a little more resilient against a US or UK court order attempt to force them to revoke this Digital Certificate.

Lawyers have already gone after the equally neutral and illegal content free wikileaks.org domain name, so it is only a matter of time before they try the same sort of legal trickery and threat of expensive court costs, even if you win the case, with SSL Certificate Authorities as they have done with Internet Service Providers and with Domain Name registrars.

See our censorship threats from Lawyers category archive

Whether this Belgium based CA will secretly hand over the private de-cryption keys for this sunshinepress.org / wikileaks.org upload web server when faced with a Mutual Legal Aid Agreement or European Evidence Warrant from foreign intelligence or police agencies or a Belgian police warrant or Court order, remains to be seen.

At least now, this current Digital certificate from a commercial Certificate Authority is, by default, trusted by the vast majority of web browser software, which will therefore not pop up warning messages, which would certainly put off some or all sensible or paranoid whistleblowers.

Like all modern Digital Certificates it uses SHA1 and does not rely on the potentially foregable MD5 cryptographic hash, which the old WikileakS.org Digital Certificate used to.

This Digital Certificate is valid from Friday 16th July 2010 for a year:

Not Before:
16/07/2010 10:47:50
(16/07/2010 10:47:50 GMT)

Not After:
17/07/2011 10:47:46
(17/07/2011 10:47:46 GMT)

It covers 3 possible domain name aliases:

wl_digital_certificate_2.jpg

sunshinepress.org
www.sunshinepress.org
submit.sunshinepress.org

All of these domain names resolve to the same IP address that the wikileaks.org ones do i.e. to

IP address: 88.80.2.32
Host name: wikileaks.org

IP address: 88.80.2.32
Host name: sunshinepress.org

They all appear to use the same kind of Reverse Proxy Server:

Via: 1.1 https-www
Server: Sun-Java-System-Web-Server/7.0
Proxy-agent: Sun-Java-System-Web-Server/7.0
X-powered-by: Servlet/2.4

With this new Digital Certificate, WikiLeakS.org is back to the situation it was between its May re-launch and 12th June , when the old Digital Certificate was unprofessionally allowed to expire with any rollover to a new one.

Still no return of the Tor Hidden Service

There is still no Tor Hidden Service end to end encryption through the Tor anonymity cloud, like there used to be before the self-imposed shutdown of the website last Christmas 2009.

UPDATE:


http://suw74isz7wqzpmgu.onion/

has been announced on the Official Wikileaks Blog and by Jacob Applebaum standingin for Julian Assange at the HOPE hackers' conference in New York.

Potential snooping via the WikiLeaks.org Upload form

wl_upload_thank_you_1.jpg

If you click on the link on the WikiLeakS.org Upload Form to the Disclaimer link, or actually selct a local file from your computer and press the Submit button, or if you read the HTML source code of the form, you will see something like

https://sunshinepress.org/upload/A52CFA2183C87B6B2AC792FC535EC83EB9DBA669/meta

in your web browser address bar.

i.e. a dynamically generated URL, which is different for each visitor or visit to the Upload Form.

If we took a charitable view, this could simply be a badly configured database driven web page Content Management System, which is producing human unfriendly URLs.

This might make sense, if WikIleakS.org was selling the content of its web pages and wanted to track each visitor's viewing habits or if they were trying to make it more difficult for valuable digital content to be indexed by web search engines.

To have this feature only on the supposedly "secure" and document file upload web form, to a supposedly "anonymous" whistleblower website makes no sense at, unless either incompetence or deliberate snooping are involved.

How can sceptical, suspicious people like us or any sane , cautious whistleblower, be assured that the 40 character 0-9, A-F, probably hexadecimal string, is not being logged by the web server hosting infrastructure e.g. the web server(s), proxy server(s) , etc. ?

Because this "unique identifier" appears in the URL path of the multi-page web form, it is visible as Communications Traffic Data to your local Internet Service Provider and other commercial and government snoopers, regardless of the fact that the rest of the web page and your actual upload is encrypted via TLS / SSL using the web server's Digital Certificate. In the European Union, for example, this Communications Data is, by law, retained for up to 3 years.

This "unique identifier" reduces the chances of the "plausible deniability" excuse during any "leak investigation" i.e. the claim that the computer used to upload some leaked document or other was not yours, but must have been someone else's within the same organisation or another customer of the same Internet Service Provider etc.

Coupled with the lack of any explicit statement by WikilLeakS.org that no web server or firewall or intrusion detection or anti-virus scanning or reverse proxy server or traffic management or load balancer etc. infrastructure at the PRQ web hosting company in Stocholm , Sweden, does not retain any IP address or other details in their log files (as all of these internet components tend to do by default) , any cautious whistleblower should assume that their supposedly secure SSL encrypted web upload session will leave electronic traces which may very well betray their identity, especially to the Swedish police and intelligence agencies and to WikiLeakS.org insiders.

Unless and until WikIleakS.org either clearly explain these unique identifiers in the web pages, or , better still, simply remove them, then we will advice people not to use this new, supposedly secure and anonymous, whistleblower document data file upload form.

WikiLeakS.org is still not publishing any of their old or new whistleblower leaks, whilst still asking for new whistleblower leak submissions, and, still asking for money.

They now seem to have got themselves a TipiT.to tip jar, run by a company called Like It Tipit Ltd, based in the United Kingdom and the Netherlands.

https://tipit.to/wikileaks.org

which accepts Euros, US Dollars or GB Pound currency donations via credit card or the (mostly) Netherlands based iDEAL online payment system.. TipiT.to seem to be using the Netherlands based AdYen internet payments system for credit cards.

The TipiT.to terms of service make it clear that any responsibility for taxation lies with WikiLeakS.org.

However, now casual visitors to the suspended WikiLeakS.org web page will see a typical "appeals thermometer" graphical image.

https://tipit.to/img/thermo?style=1&tipjarId=1&currency=EUR&goal=5000000&since=20100124&width=150&background=c0c0c0

tipit_to_wikileaks_org_261.jpg

Note the target "goal" of 50,000 Euros.

Another "web bug":

Even though the PayPal graphic is now being served locally, rather than as a Deep Link from the Canadian fishing supplies website, this Web Bug problem has simply been replaced by a new one.

The new "thermometer appeal" graphical image is not a static graphical image, served locally from the WikiLeakS.org web servers. (like the above screen capture graphic is being served from the WikiLeak.org web space)

It is a dynamic image, generated remotely on the fly, presumably to show how much of the target has been achieved, as per the "appeals thermometer" theme.

This means that the TipiT.to webservers, and the Amazon Web Services, Elastic Compute Cloud, EC2 instance which they use, are collecting Communications Traffic Data logfiles, including visit time and date, IP address, Web browser details, language settings etc., from most of the visitors to the WikiLeakS.org page, even if they do not intend to proceed to the tip jar donations form.

Will anybody be monitoring or automatically screen scraping and logging, the WikiLeakS.org TipIT tip jar, or even the TipiT.to home pages, which display the amounts of money of the last 10 or so tips received ? Obviously some of these donations or tips are pseudo anonymous, but several people seem to be leaving their names and comments of support, which they may or may not regret later.

N.B. since the TipiT.to webs server does not appear to be serving a robots.txt file:

http://tipit.to/robots.txt

it may well be that snapshots of the "latest tips / financial contributors" to WikiLeakS.org and any other website will be captured by automatically and "forever", by Google, Yahoo, Bing and other web search engines..

The embedded YouTube video script remains as before, also potentially betraying the anonymity of visitors to the WikiLeakS.org website, in log files over which WIkiLeakS.org have no control.

Why is the simple website anonymity protection measure of serving copies of graphical images only from your own web server so difficult for the WikiLeakS.org people, who one would expect to live and breathe internet anonymity and security, to understand ?

Why have WikiLeakS.org abandoned the use of PGP Encryption ?

The Contact page still has a link to a http://wikileaks.org/wiki/Wikileaks_PGP_key page:

Wikileaks:PGP Keys

Do not use PGP to contact us. We have found that people use it in a dangerous manner. Further one of the Wikileaks key on several key servers is FAKE.

wikileaks_pgp_key_warning_300.jpg

This warning now replaces a copy of the PGP Public Encryption Key which expired on 2nd November 2007 (PGP Key ID: 0x11015F80).

Instead of publishing a new PGP Key, the WikiLeakS.org staff have, without bothering to hold any sort of discussion on the relevant wiki discussion page, arbitrarily put up this stupid warning.

It is entirely possible for the public and for journalists and for whistleblowers to use unencrypted plaintext email, or the SSL / TLS web encrypted web session submission forms for new "whistleblower document" uploads, or the Tor Hidden Service methods, or the Postal mail box methods of submission, or the Discussion pages for publishing comments and analyses, and to make technical security or anonymity errors

in a dangerous manner.

Why is PGP any different ?

Presumably because the WiklLeakS.org team have deliberately not bothered to explain its correct use - they just published a link to a PGP public key, with nothing else in the way of instructions or warning advice.

The point about the PGP keyservers is utterly irrelevant, given that WikiLeakS.org were, correctly, publishing their PGP key primarily on their own web servers

Fake PGP keys on keyservers or elsewhere are not a problem - that is what the PGP key fingerprints are designed to help with.

This outright refusal to use widely available, tried, tested, and secure PGP / GnuGP / OpenPGP etc . software. has further damaged the reputation for trustworthiness of the WikiLeakS.org project.

Some people will conclude that some of the WikiLeakS.org people must be in cahoots with some intelligence or police agency or other, which is why they do not wish to promote the option of using strong end to end encryption like PGP for protecting whistleblowers.


There now seems to be a new Secure Sockets Layer (SSL) or Transport Layer Security (TLS) Digital Certificate installed on https://secure.wikileaks.org

Issuer
CN = Equifax Secure Global eBusiness CA-1
O = Equifax Secure Inc.Validity

Not before
11/06/2008 17:14:01
(11/06/2008 16:14:01 GMT)

Not After
12/06/2010 17:14:01
(12/06/2010 16:14:01 GMT)

Subject
CN = secure.wikileaks.org
OU = Domain Control Validated - RapidSSL(R)
OU = See www.rapidssl.com/resources/cps (c)08
OU = GT46622659
O = secure.wikileaks.org
C = US

Attempts to access https://wikileaks.org, or any of the other Cover Name DNS aliases, via SSL session encryption, should pop up a warning by your browser software about the name mismatch.

This is, however, more acceptable and trustworthy now that there is a valid, unexpired Digital Certificate installed.

It is extremely disappointing that there is no official note of explanation about this major change to the fundamental trust infrastructure of WikiLeakS.org, on the website itself.

The BBC's online and broadcast news technology programme Click has a report by David Reid: - Bloggers' search for anonymity

This examines some of the reasons for the need for anonymity and some of ways to get around some of repressive Government censorship of the internet.

It shows some peaceful direct action at an international tourism promotion show by Reporters Sans Frontièrs (Reporters Without Borders), who pointed out that some of the countries trying to attract Western tourists were also busy locking up and torturing journalists and bloggers, simply for publishing even mild or implied criticisms of the regime.

The programme also mentioned RSF's Handbook for bloggers and cyber-dissidents

hfbacd.gif

This should read in conjunction with the more recent and complementary
hints and tips for whistleblowers, journalists and bloggers by Spy Blog, and the Digital Security and Privacy for Human Rights Defenders manual by Front Line.

The programme mentioned the use of proxy servers to help overcome some of the Government internet censorship , which led on to a simple (cookery based) illustration of TOR, The Onion Routing scheme, which is apparently going to be used, together with other software, by the WikiLeak.orgproject.

The programme contributors give some obvious but important advice i.e. not to actually write blog articles under your real name.

There is some low tech advice about circumventing some internet censorship
e.g.by the inseration of extra punctuation around and between keywords like Tiananmen Square, e.g. perhaps +Tiananmen+Square+, which are still readable by humans, in much the same way as various spam emails attempt to overcome Bayesian heuristic anti-spam filter censorship

For a mainstream media programme, aimed at a worldwide audience, this is quite a good flavour of what this blog and the WikiLeaks.org project is about.

If a few more people out of the BBC Click programme's large online and broadcast audience are encouraged to try out say TOR, then that will be a good thing.

David Akin, a Canadian political journalist has this advice for the http://WikiLeaks.org project:

Well, good luck. Professionally speaking, I rely on the quiet word, the unnamed source, the leaked document, and the anonymous e-mail as an essential source of good news items. So I'll be visiting Wikileaks when it gets up and running which, according to the site creators, will be in as little as three our four weeks.

It will be astonishing if such a system magically appears in February or March, fully tested and debugged, and is ready for lots of non-technical or only moderately technical people to download, install and run.

Much more than software is required in order for a project like this to succeed and even very technically able and well resourced organisations, running a centralised system cannot be trusted to implement secure and anonymous systems correctly

But -- as someone who is often offered confidential information -- let me pass on this advice: Those who have confidential information want to know who they're giving it to. They want to know the character of the reporter who will tell the world about this confidential information. And they want to know for a few reasons -- mostly because they need to trust that person. Wikileaks says it has some great cryptography, etc. which it says will protect its sources. And they say they've got 2 million leaked documents ready to go. Ok. Great. That's cool. But the cryptographers behind the site -- so far as I can tell -- are anonymous. That's not right. Heck, these folks could be the secret police from [fill-in-evil-country's-name-here] for all you and I know!

It should be remembered that not every user of the proposed system is going to be a vulnerable solitary whistleblower, who has never leaked any information before, and who is under direct physical threat.
There could also be many experienced intermediaries and contacts several steps removed from the prime sources who want to make use of it.

Those who are courageous enough to leak information need to leak to partners who are courageous enough to put their own name on the line and who have the fortitude to defend the anonymity of those who asked for that cloak.

What those not entirely anonymous cryptographers are probably aiming for is their Open Source system to try to obey Kerckhoffs' principle:

"a cryptosystem should be secure even if everything about the system, except the key, is public knowledge"

However, the attacks on the WikiLeaks.org system are also going to be legal ones, through court orders and executive police powers etc., so the principle of Plausible Deniability also comes into play.

However, the good technical design of software programs and communications protocols is not sufficient on its own to achieve the goal of anonymous, untraceable, uncensorable publication of leaked documents by whistleblowers and dissidents.

Just look at the mess which the United Kingdom's Security Service MI5 has got itself into with its newly launched, relatively simple Terror Threat Level Status Change notification and website news update e-mail list subscription service. See Spy Blog's initial and follow up articles.

MI5 have access to all the required technical knowledge and even existing systems already set up, which could have been used to make the system secure against third party snoopers, but they did not make proper use of this.

The British public is meant to trust these people to protect them from terrorists and spies etc. and in return they demand and get a cloak of anonymity and secrecy, to protect national security.

There is a case for some WikiLeaks.org public spokespeople, but why should all of of the WikiLeaks.org cryptographers and volunteers be exposed to public scrutiny ?

That is a higher standard of transparency and openness than we expect from elected politicians, civil servants and police and intelligence agency personnel, or even journalists, even in relatively free democratic societies, let alone in repressive ones.

In practice, is at actually possible to apply Kerckhoffs' principle and the principle of Plausible Deniability, not to computer software and communications protocols, but to the non-technical, human aspects of the project, without creating something that is apparntly indistinguishable from a subversive conspiracy, and which will no doubt be painted as such by the vested interests who have something to lose if WikiLeaks.org succeeds ?

Is it time to re-read Hakim Bey's Temporary Autonomous Zones, which was popular amongst an earlier generation of internet pioneers and activists, and cyberpunks ?

All of the technical problems with the MI5 system could easily have been solved, if it had been properly tested, before its public launch, and that is what is worrying about the promise to launch WikiLeaks.org software in February or March.

What exactly is it meant to do, and who has tested it ?

Where is there a detailed systems architecture document for public peer review ?

What are the trade off choices which have been made between security and accessibility and scalability ?

There are still a whole lot of unanswered questions about this ambitious proposed WikiLeaks.org scheme.

About this blog

This blog here at WikiLeak.org (no "S") discusses the ethical and technical issues raised by the WikiLeakS.org project, which is trying to be a resource for whistleblower leaks, by providing "untraceable mass document leaking and analysis".

These are bold and controversial aims and claims, with both pros and cons, especially for something which crosses international boundaries and legal jurisdictions.

This blog is not part of the WikiLeakS.org project, and there really are no copies of leaked documents or files being mirrored here.

Email Contact

Please feel free to email us your views about this website or news about the issues it tries to comment on:

email: blog@WikiLeak[dot]org

Before you send an email to this address, remember that this blog is independent of the WikiLeakS.org project.

If you have confidential information that you want to share with us, please make use of our PGP public encryption key or an email account based overseas e.g. Hushmail

LeakDirectory.org

Now that the WikiLeakS.org project is defunct, so far as new whistleblower are concerned, what are the alternatives ?

The LeakDirectory.org wiki page lists links and anonymity analyses of some of the many post-wikileaks projects.

There are also links to better funded "official" whistlblowing crime or national security reporting tip off websites or mainstream media websites. These should, in theory, be even better at protecting the anonymity and security of their informants, than wikileaks, but that is not always so.

New whistleblower website operators or new potential whistleblowers should carefully evaluate the best techniques (or common mistakes) from around the world and make their personal risk assessments accordingly.

Hints and Tips for Whistleblowers and Political Dissidents

The WikiLeakS.org Submissions web page provides some methods for sending them leaked documents, with varying degrees of anonymity and security. Anybody planning to do this for real, should also read some of the other guides and advice to political activists and dissidents:

Please take the appropriate precautions if you are planning to blow the whistle on shadowy and powerful people in Government or commerce, and their dubious policies. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g. see Spy Blog's Hints and Tips for Whistleblowers - or use this easier to remember link: http://ht4w.co.uk

BlogSafer - wiki with multilingual guides to anonymous blogging

Digital Security & Privacy for Human Rights Defenders manual, by Irish NGO Frontline Defenders.

Everyone’s Guide to By-Passing Internet Censorship for Citizens Worldwide (.pdf - 31 pages), by the Citizenlab at the University of Toronto.

Handbook for Bloggers and Cyber-Dissidents - March 2008 version - (2.2 Mb - 80 pages .pdf) by Reporters Without Borders

Reporters Guide to Covering the Beijing Olympics by Human Rights Watch.

A Practical Security Handbook for Activists and Campaigns (v 2.6) (.doc - 62 pages), by experienced UK direct action political activists

Anonymous Blogging with Wordpress & Tor - useful step by step guide with software configuration screenshots by Ethan Zuckerman at Global Voices Advocacy. (updated March 10th 2009 with the latest Tor / Vidalia bundle details)

WikiLeakS Links

The WikiLeakS.org Frequently Asked Questions (FAQ) page.

WikiLeakS Twitter feeds

The WikiLeakS.org website does not stay online all of the time, especially when there is a surge of traffic caused by mainstream media coverage of a particularly newsworthy leak.

Recently, they have been using their new Twitter feeds, to selectively publicise leaked documents to the media, and also to report on the status of routing or traffic congestion problems affecting the main website in Stockholm, Sweden.

N.B.the words "security" or "anonymity" and "Twitter" are mutually exclusive:

WikiLeakS.org Twitter feed via SSL encrypted session: https://twitter.com/wikileaks

WikiLeakS.org unencrypted Twitter feed http://twitter.com/wikileaks

Internet Censorship

OpenNet Initiative - researches and measures the extent of actual state level censorship of the internet. Features a blocked web URL checker and censorship map.

Temporary Autonomous Zone

Temporary Autonomous Zones (TAZ) by Hakim Bey (Peter Lambourn Wilson)

Cyberpunk author William Gibson

Campaign Button Links

Watching Them, Watching Us, UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid_150.jpg
FreeFarid.com - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

Petition to the European Commission and European Parliament against their vague Data Retention plans
Data Retention is No Solution Petition to the European Commission and European Parliament against their vague Data Retention plans.

Save Parliament: Legislative and Regulatory Reform Bill (and other issues)
Save Parliament - Legislative and Regulatory Reform Bill (and other issues)

Open_Rights_Group.png
Open Rights Group

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network
Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Tor - the onion routing network
Anonymous Blogging with Wordpress and Tor - useful Guide published by Global Voices Advocacy with step by step software configuration screenshots (updated March 10th 2009).

irrepressible_banner_03.gif
Amnesty International's irrepressible.info campaign

anoniblog_150.png
BlogSafer - wiki with multilingual guides to anonymous blogging

ngoiab_150.png
NGO in a box - Security Edition privacy and security software tools

homeofficewatch_150.jpg
Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."

rsf_logo_150.gif
Reporters Without Borders - Reporters Sans Frontières - campaign for journalists 'and bloggers' freedom in repressive countries and war zones.

committee_to_protect_bloggers_150.gif
Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

wikileaks_logo_low.jpg
Wikileaks.org - the controversial "uncensorable, anonymous whistleblowing" website based currently in Sweden.

Syndicate this site (XML):

Recent Comments

  • James Hyams: I'm writing a thesis on Public Trust in WikiLeaks, the read more
  • rich kaplan: Hello Wikeleaks vrew. In Turkey , the islamist goverment just read more
  • wikileak: Cryptome have a few more extracts from this book http://cryptome.org/0003/ddb-book/ddb-book.htm read more
  • wikileak: OpenLeaks.org have now launched their website with some details of read more
  • wikileak: Bahnhof Internet seem to be hosting two Wikileaks servers in read more
  • teresa: I THANK THEY JUST TO SHUT HIM UP. THEY THINK read more
  • wikileak: Clay Shirky has posted a rough transcript of Daniel Domscheit-Berg's read more
  • wikileak: @ N - you can still see the "1.2 million read more
  • N: @wikileak - Exactly, these cables are _from_ the United States, read more
  • wikileak: Openleaks.org is now displaying this meassage: Coming soon! While we read more

December 2014

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31