globaleaks live launch - venice 2011

GlobaLeaksThe Open Whistleblowing Framework

1Tuesday, September 6, 2011

Agenda

• Why does GlobaLeaks exists?

• How does it work?

• Who will use it?

• How can you hack on it? Join GlobaLeaks!

• # ./startglobaleaks


ARG*:GlobaLeaks Organization

• There is no hierarchy of power

• No Official Role

• Every member of GlobaLeaks is A Random GlobaLeaks Contributor|Developer|Spokesperson|Advocate


Why does GlobaLeaks exists

Why we want to change the world into a better place


Motivations

• We wish to make this world a better place

• We strive to increase transparency and accountability in our society


Existing Solutions

• The existing software lacked basic privacy-aware (anonymity) and security features (encryption).

• Existing projects are less open that they want to make people believe.

• Only commercial software or outsourced WhistleBlowing services


Research on WB

https://leakdirectory.org

SHA Fingerprint: 2F 78 1A E7 34 32 44 35 1D 68 6A DE B7 83 58 F6 11 41 BC E0

• We started a research a research on Whistleblowing on Dec 2010


https://www.leakdirectory.org



The WB ecosystem


So what’s Whistleblowing?

• A whistleblower is somebody that informs of illicit activity.

• Activates citizens in their own local politics

• Activate people in their global view


Active citizenship “... which of two common types of character,

for the general good of humanity, it is most desirable should predominate — the active, or the passive type; that which struggles against evils, or that which endures them; that which

bends to circumstances, or that which endeavours to make circumstances bend to

itself.” John Stuart Mill, "Representative Government" (1869)


Transparency and Accountability

• People should start demanding transparency and enforcing it with GlobaLeaks.

• Corporations and governments will understand the need to be more transparent


How GlobaLeaks works

How we plan to change the World


The actors involved in GlobaLeaks

• The Whistleblower

• The Targets

• The Node Administrator


Whistleblower

• An Active citizen that is aware of some malpractice and wrongdoing

• She/He will notify the GL node of such information


Targets

• She/He is the person responsible for analyzing the material

• No consent

• Diversified actors as incentive


Node Administrator

• The person running GlobaLeaks software

• Choose the target list

• Choose the goals and objective of ther activities

• Behave depending on the context and goals


Interaction

node Targets

pressNGO

Audience

• the node administrator select a list of

targets • A Tulip is created

notification

download

Submission

Out

put

WhistleBlower

NodeAdministrator


Notification (TULIP)

• Temporary Unique Link Information Provider

• The means of communications between the target and WhistleBlower


TULIP

• Expires after a fixed amount of downloads and time

• Is unique to every target/material

• The data can be stored inside a flexible and configurable container (see local storage, FTP, Dropbox,Tahoe-LAFS, etc.)


TULIP notification

• Flexible and expandable notification system

• email, twitter, facebook, SCP, ticketing system


TULIP receipt


GlobaLeaks anonymity

• Tor Hidden Services for pubblishing

• Protection of WhistleBlower and Node maintainer

• Tor client for notifications


GlobaLeaks security• Authentication

• TULIP based authentication

• optional password

• Encryption (optional)

• ZIP AES, PGP container

• Applies to data and notification

• Security

• optional metadata cleanup facilities (MAT)


Target - Whistleblower interaction

• Send and receive comments

• WhistleBlower is able to upload more material regarding a submission

• Secure JS based chat system?


Who will use GlobaLeaks

Different ways of using GlobaLeaks......The Swiss Army Knife of Whistleblowing


Media

• Media outlets, Magazine and Journalism associations can setup a WB interface

• Collects Anonymous report by default

• Two real world use cases


Transparency Activism (1)

• NGO and informal activism organisations

• They will promote the GL node

• They will only promote the GL node and others will analyze the data

• Advocacy on the importance of Transparency and accountability

• Corruption spotting


• Break the three monkey principle

Transparency Activism (II)


Private Corporations

• Important tool to be integrated within the corporate organizational model

• Typically managed by internal audit

• Accountability mandated by the law

• Sarbanes-Oxley Act (USA)

• Dlgs 231 (Italy)


Environmental Malpractice

• Involve citizen to send photos, reports and dossiers about environmental malpractice

• Setup a node linked to environmental associations, pollution experts, journalists and environmental activists.


Public Agencies

• Internal and external public WB services

• USA IRS, US SEC, EU Antitrust

• Involve citizens into spotting tax evasion, market manipulation, corruption, malpractice in health


Ways to publish a GlobaLeaks Site

Different ways of bringing online a GlobaLeaks site depending on how you want to use it


Pure Hidden Service• Pros

• Submission is highly secure.

• Does not rely on legacy technologies such as SSL.

• DDOS protected.

• Location of every network entity protected.

• Requires to setup only one device.

• Cons

• Submitters must use a Tor client.


Hybrid: HS + tor2web• Pros

• Location of the backend storage server protected.

• Backend DDOS protected.

• Does not require clients to install any software except a browser.

• Cons

• Relies on legacy technology such as SSL.

• The tor2web node can be targeted by a DDOS or SSL man in the middle.


Web only solution• Pros

• Does not require clients to install any software except a browser.

• Requires to setup only one device.

• Cons

• Relies on legacy technology such as SSL.

• The location of the server is disclosed.

• It can be targeted by DDOS attacks and MITM.

• One single point of failure.


WTF!?... Or, how will we change the world.


The Tulip movement• The WB gives TULIPs

out to targets

• This is a gift to humanity

• TULIP is also used as an acronym in Calvinism

• Flower power leads to open and transparent society.


How can you hack on it ?

Practical way to start hacking on GlobaLeaks, have lots of fun, drink lots of wine and taste good Italian food


Launchpad and Bazaar

• Install bazaar, is the versioning system

• register your user at http://lauchpad.net

• our launchpad page is http://launchpad.net/globaleaks

• check out the blueprints:https://blueprints.launchpad.net/globaleaks


http://lauchpad.net

http://lauchpad.net

http://launchpad.net/globaleaks




https://blueprints.launchpad.net/globaleaks

https://blueprints.launchpad.net/globaleaks

Technologies

• Python

• web2py (http:///web2py.org/book)

• MVC model

• Secure by default against web attacks

• Object Oriented


Delivery

• Self contained .exe

• Self contained .app

• Drag and drop install experience

• Even non techie people will run it.


and now...


brace yourselves.


# ./startglobaleaks


Questions?Contacs

Main site: http://www.globaleaks.orgGlobaLeaks demo: http://demo.globaleaks.orgWiki for the project: http://wiki.globaleaks.org/Planet GlobaLeaks: http://planet.globaleaks.org/Mailing list: http://globaleaks.org/mailman/listinfo/people_globaleaks.orgIRC: irc.oftc.net #globaleaksWEBCHAT: http://irc.lc/OFTC/globaleaks/webchat


http://www.globaleaks.org

http://www.globaleaks.org

http://wiki.globaleaks.org/

http://wiki.globaleaks.org/

http://planet.globaleaks.org/

http://planet.globaleaks.org/

http://globaleaks.org/mailman/listinfo/people_globaleaks.org

http://globaleaks.org/mailman/listinfo/people_globaleaks.org

http://irc.lc/OFTC/globaleaks/webchat

http://irc.lc/OFTC/globaleaks/webchat

globaleaks live launch - venice 2011

News & Politics

globaleaks software

member of globaleaks

globaleaks organization

gl node

transparency activism

node administratornotication

node administratortuesday

importance of transparency