OpenLeaks’ testing won’t just be a mere tryout of the site’s submissions functions so much as a trial by fire: Domscheit-Berg plans to invite the 3,000 security-minded types at the German conference and anyone other willing hackers around the world to actively probe the site and seek out its vulnerabilities in a crowd-sourced penetration test. If they can demonstrate flaws that could damage its stability, its data’s security or, perhaps most importantly, the anonymity of its sources, those testers are asked to alert OpenLeaks’ team and help get the flaws fixed.
Update: the testing site will be live for now not at OpenLeaks.org, but on the Tageszeitung website here.
“We need to be sure for the people who use such a system that it can’t be compromised,” says Domscheit-Berg. “Whistleblowers are the ones who take the risks. And they’re the ones that get screwed if something goes wrong. So it’s inherently important for us to make these people as comfortable as possible.”
OpenLeaks also announced for the first time the names of its media partners: German newspapers Die Tageszeitung and the weekly Der Freitag, Danish paper Dagbladet Information, the Portugese newsweekly Expresso, as well as the German food- and environment-focused non-profit Foodwatch. Five other organizations are in talks with the group, Domscheit-Berg says. OpenLeaks’ security depends on those outlets as much as on Domscheit-Berg’s group of hackers. Reiner Metzger, one of three editors-in-chief of Tageszeitung, for instance, says that the paper had to remove many of the cookie-planting elements on its website, and create a “fog” of cover traffic to protect leakers. “We’ve really connected with OpenLeaks on the technological and the editorial level,” Metzger says.
Even after OpenLeaks’ testing week, Domscheit-Berg warns the site won’t be ready to go live, and the group won’t name a launch date. That may be seen as another frustrating delay for some who expected the site to start accepting WikiLeaks-style leaks as early as January. But Domscheit-Berg, who left WikiLeaks last September after a fallout with its founder Julian Assange, says that OpenLeaks won’t rush to launch at the expense of polishing the site’s security. “We stated much too early that we were going to be online,” says Domscheit-Berg. “If you want to do this correctly, it takes time.”
The group, which varies at times between five and seven volunteers, is creating tools not just for anonymous leaking but also the entire chain of submission and publishing. That includes secure ways for media partners to receive the documents so that they can decrypt it but OpenLeaks can’t, and application for them to redact the documents permanently and collaborate securely.
The difficulty of properly locking down a leak-focused site has been demonstrated in cringeworthy detail in attempts at similar projects by Al Jazeera and the Wall Street Journal. Both those outlets’ leak conduits have been criticized by the security community for making basic security mistakes and including legal fine print that fails to fully protect leakers from being exposed.
Domscheit-Berg argues that leaking sites’ security measures don’t need to be as tight as WikiLeaks’ were during Domscheit-Berg’s time with the group–they need to be tighter. Adversaries of leaking like corporations, law enforcement and intelligence, he says, have ramped up their security measures in the wake of WikiLeaks record-breaking breaches. “WikiLeaks appeared out of nowhere,” says Domscheit-Berg. “It cause a lot of new problems no one had thought about before. Now they’ve thought about this whole thing for a bit. The dust has settled. And it will never be as easy again.”
That means facilitating leakers needs to become more systematic and rigorous, Domscheit-Berg says. Later this week at the Chaos Communications Camp, OpenLeaks plans to hold a workshop for leaking sites, inviting hackers to spend a few hours probing other WikiLeaks copycat sites that have asked to be audted for flaws and creating a “best practices” checklist for anonymity and security.
LINK TO OUR HOME PAGE :