28 Apr
2015
28 Apr
'15
1:43 p.m.
Assembled cogniscenti:
I am not a huge fan of the Melbourne Herald-Sun and I believe the somewhat similar
English Sun, is one of the Murdoch's
papers which seemed to have little regard for privacy. So I found the following link
which a friend sent;
somewhat curious. But it did prompt the question suppose an ombudsman wanted to set up a
secure
drop box for "IT-naive whistleblowers", is it feasible ? and how could the
whistleblower be certain
of that anonymity ?
http://www.thesun.co.uk/sol/homepage/news/6429126/The-Sun-Whistleblower-Cha…
regards Rohan McLeod
29 Apr
29 Apr
4:39 a.m.
New subject: How feasible are secure drop-boxes for "IT naive whistleblowers" ?
On 28/04/2015 1:43 PM, Rohan McLeod wrote:
Assembled cogniscenti:
I am not a huge fan of the Melbourne Herald-Sun and I believe the
somewhat similar English Sun, is one of the Murdoch's
papers which seemed to have little regard for privacy. So I found the
following link which a friend sent;
somewhat curious. But it did prompt the question suppose an ombudsman
wanted to set up a secure
drop box for "IT-naive whistleblowers", is it feasible ? and how could
the whistleblower be certain
of that anonymity ?
http://www.thesun.co.uk/sol/homepage/news/6429126/The-Sun-Whistleblower-Cha…
????
https://projects.newyorker.com/strongbox/
????
A.
30 Apr
30 Apr
8:57 p.m.
On Wed, 29 Apr 2015 04:39:01 AM Andrew McGlashan wrote:
On 28/04/2015 1:43 PM, Rohan McLeod wrote:
> Assembled cogniscenti:
> I am not a huge fan of the Melbourne Herald-Sun and I believe the
> somewhat similar English Sun, is one of the Murdoch's
> papers which seemed to have little regard for privacy. So I found the
> following link which a friend sent;
> somewhat curious. But it did prompt the question suppose an ombudsman
> wanted to set up a secure
> drop box for "IT-naive whistleblowers", is it feasible ? and how could
> the whistleblower be certain
> of that anonymity ?
>
> http://www.thesun.co.uk/sol/homepage/news/6429126/The-Sun-Whistleblower-C
> harter.html
Rather amusing to see a Murdoch paper railing against phone hacking. They had
an 'important scoop about cabinet minister Andrew Mitchell calling cops
“f***ing plebs”'. Seriously? We have lies about multiple wars, and lots of
other serious issues and a profane MP is an "important scoop"?
That said it's good that the publish information about using Tor, the people
who read The Sun aren't going to be attending LUG meetings etc so it's their
best chance to learn about such things.
I agree that the New Yorker is probably a better option in most cases. But if
you have evidence of a dodgy MP doing something stupid that a tabloid can
harass them about then The Sun is a good option.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
1 May
1 May
8:05 a.m.
New subject: How feasible are secure drop-boxes for "IT naive whistleblowers" ?
Russell Coker wrote:
On Wed, 29 Apr 2015 04:39:01 AM Andrew McGlashan
wrote:
Reading these links the technology seems pretty much the same ie. using a secure anonymous
brouser ( Tor) to;
access an otherwise invisible website.The problem / possibility which I was hoping to
highlight by referencing
"ombudsmen" was the much wider appllication.of such technology beyond merely
protecting newspaper sources;
eg. Police internal affairs; oversight of intelligence organizations, public scrutiny of
large commercial organizations, etc.
1/ The first problem is does this technology actually guarantee the anonymity of the
whistleblower ?;
2/ How can an 'IT naive' whistleblower be certain of this ?
because one can see in the case of Edward Snowden and the tragic case of Chelsea Elizabeth
Manning;
(born Bradley Edward Manning) these people are actually putting their lives on the
line.
3/ If it does; is it accessible to IT naive sources because apart from the question of
ease of use one doesn't,
want to provide even this information about a whistleblower.
4/ A second problem, should the technology actually allow the possibility of secure
anonymous dropboxes/ suggestion boxes;
is their use by 'black-hats'; to use the example of Police Internal Affairs
corrupt officers or criminals could
use the system to safely spread disinformation. This suggests the information from such
drop-boxes could never be used ,
in a court of law although it could reference information that can.
eg a police department was supposed to have destroyed certain files and hadn't
regards Rohan McLeod
On 28/04/2015 1:43 PM, Rohan McLeod wrote:
> ......snip But it did prompt the question suppose an ombudsman
> wanted to set up a secure
> drop box for "IT-naive whistleblowers", is it feasible ? and how could
> the whistleblower be certain
> of that anonymity ?
>
> http://www.thesun.co.uk/sol/homepage/news/6429126/The-Sun-Whistleblower-C
> harter.html
Rather amusing to see a Murdoch paper railing against phone
hacking. They had
an 'important scoop about cabinet minister Andrew Mitchell calling cops
“f***ing plebs”'. Seriously? We have lies about multiple wars, and lots of
other serious issues and a profane MP is an "important scoop"?
That said it's good that the publish information about using Tor, the people
who read The Sun aren't going to be attending LUG meetings etc so it's their
best chance to learn about such things.
I agree that the New Yorker is probably a better option in most cases. But if
you have evidence of a dodgy MP doing something stupid that a tabloid can
harass them about then The Sun is a good option.
10:10 a.m.
On Fri, 1 May 2015, Rohan McLeod <rhn(a)jeack.com.au> wrote:
Reading these links the technology seems pretty much
the same ie. using a
secure anonymous brouser ( Tor) to; access an otherwise invisible
website.The problem / possibility which I was hoping to highlight by
referencing "ombudsmen" was the much wider appllication.of such
technology beyond merely protecting newspaper sources; eg. Police internal
affairs; oversight of intelligence organizations, public scrutiny of large
commercial organizations, etc.
1/ The first problem is does this technology actually guarantee the
anonymity of the whistleblower ?;
http://linuxers.org/article/browser-fingerprinting-technique-identify-users-
without-using-cookies
That depends on the implementation. If someone uses a regular web browser
with tor instead of torbrowser then their combination of OS, fonts, browser
version, screen resolution, etc probably narrows it down a bit. If the
authorities already have a list of a few hundred people who could have blown
the whistle that is likely to identify the person. The above URL has some
background information.
2/ How can an 'IT naive' whistleblower be
certain of this ?
because one can see in the case of Edward Snowden and the tragic case of
Chelsea Elizabeth Manning; (born Bradley Edward Manning) these people are
actually putting their lives on the line.
They can't. But it's better than nothing. Also in regard to browser
fingerprinting that restricts it to just the news source, so it's a matter of
whether you trust the integrity of the news organisations to not to store data
for fingerprinting (don't trust Murdock) and whether you trust their ability
to keep the authorities out of their servers.
4/ A second problem, should the technology actually
allow the possibility
of secure anonymous dropboxes/ suggestion boxes; is their use by
'black-hats'; to use the example of Police Internal Affairs corrupt
officers or criminals could use the system to safely spread
disinformation. This suggests the information from such drop-boxes could
never be used , in a court of law although it could reference information
that can. eg a police department was supposed to have destroyed certain
files and hadn't
I think that if the police wanted to keep data instead of destroying it then
they would just do so. They could rent or build entire data centers for
storing such data and no-one would stop them.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
10:59 a.m.
New subject: How feasible are secure drop-boxes for "IT naive whistleblowers" ?
Russell Coker <russell(a)coker.com.au> wrote:
On Fri, 1 May 2015, Rohan McLeod
<rhn(a)jeack.com.au> wrote:
> Reading these links the technology seems pretty much the same ie. using a
> secure anonymous brouser ( Tor) to; access an otherwise invisible
> website.The problem / possibility which I was hoping to highlight by
> referencing "ombudsmen" was the much wider appllication.of such
> technology beyond merely protecting newspaper sources; eg. Police internal
> affairs; oversight of intelligence organizations, public scrutiny of large
> commercial organizations, etc.
>
Some of these applications may be well served by the proposal described in
this article:
https://lwn.net/Articles/640295/
That depends on the implementation. If someone uses a
regular web browser
with tor instead of torbrowser then their combination of OS, fonts, browser
version, screen resolution, etc probably narrows it down a bit.
And as you mention, this narrows it down altogether too much in many cases.
Undoubtedly, human rights organizations encounter these issues frequently.
They need reliable information, often from states with poor human rights
records where political freedom is strongly curtailed.
I don't think it's possible for anyone who isn't proficient in installing
software and running it reliably to have anonymity. Consider this a privilege
for those in the know, just as e-mail encryption with public-key
infrastructure is.
2:16 p.m.
New subject: How feasible are secure drop-boxes for "IT naive whistleblowers" ?
On 1/05/2015 10:10 AM, Russell Coker wrote:
On Fri, 1 May 2015, Rohan McLeod
<rhn(a)jeack.com.au> wrote:
Privacy of electronic communication being something that can't be
guaranteed is why
Pamela Jones shut down Groklaw. She couldn't conscientiously expect her
sources
to take that sort of risk. (Not that I'm saying that snail mail is free
from risk either, but
a letter can be dropped in a post box anywhere, so the chance of being
exposed is
minimal, or at least can be minimised by taking the fairly simple
precautions of using
generic stationary, print the content using standard fonts on a common
model of
printer, and random choice of post box to send the letter on its way.)
Morrie.
Reading these links the technology seems pretty
much the same ie. using a
secure anonymous brouser ( Tor) to; access an otherwise invisible
website.The problem / possibility which I was hoping to highlight by
referencing "ombudsmen" was the much wider appllication.of such
technology beyond merely protecting newspaper sources; eg. Police internal
affairs; oversight of intelligence organizations, public scrutiny of large
commercial organizations, etc.
1/ The first problem is does this technology actually guarantee the
anonymity of the whistleblower ?;
2 May
2 May
9:32 a.m.
New subject: How feasible are secure drop-boxes for "IT naive whistleblowers" ?
Morrie Wyatt <morrie(a)morrie.id.au> wrote:
(Not that I'm saying that snail mail is free from
risk either, but
a letter can be dropped in a post box anywhere, so the chance of being
exposed is
minimal, or at least can be minimised by taking the fairly simple
precautions of using
generic stationary, print the content using standard fonts on a common model
of
printer, and random choice of post box to send the letter on its way.)
Some printers, unfortunately, embed subtle identifying information in their
output.
Use a printer that is frequented by members of the public in large numbers,
for example in a public library or perhaps a printing/photographics outlet
that people regularly visit to print material.
4 May
4 May
2:09 p.m.
On Sat, 2 May 2015, Jason White <jason(a)jasonjgw.net> wrote:
Morrie Wyatt <morrie(a)morrie.id.au> wrote:
https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-
dots
http://en.wikipedia.org/wiki/Printer_steganography
The above has more information on this.
(Not that I'm saying that snail mail is free
from
risk either, but
a letter can be dropped in a post box anywhere, so the chance of being
exposed is
minimal, or at least can be minimised by taking the fairly simple
precautions of using
generic stationary, print the content using standard fonts on a common
model of
printer, and random choice of post box to send the letter on its way.)
Some printers, unfortunately, embed subtle identifying information in their
output. Use a printer that is frequented by members of the
public in large numbers,
for example in a public library or perhaps a printing/photographics outlet
that people regularly visit to print material.
Or just obtain a printer without it being associated to you or to any other
secret documents.
For example if you were to find a working printer on someone's lawn when the
council is collecting hard rubbish and only used it for blowing the whistle on
one organisation you would be safe as long as there is no geographic
association. Taking a printer from your neighbor would be a bad idea. Taking
one from a different suburb that's no closer to you than to any of the other
people who have access to the data in question should be OK.
You could buy a printer with cash at a swap meet. Buying from a store would
be a bad idea as you don't know how long their surveillance records are kept.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
3:09 p.m.
New subject: How feasible are secure drop-boxes for "IT naive whistleblowers" ?
Russell Coker wrote:
On Sat, 2 May 2015, Jason White
<jason(a)jasonjgw.net> wrote:
Russell,
both these seem to refer exclusively to laser-printers;
a quick google didn't seem to find similar issues with ink-jets;
absence of evidence, is evidence of absence ? :-)
regards Rohan McLeod
Morrie Wyatt <morrie(a)morrie.id.au> wrote:
https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-
dots
http://en.wikipedia.org/wiki/Printer_steganography (Not that I'm saying that snail mail is free
from
risk either, but
a letter can be dropped in a post box anywhere, so the chance of being
exposed is
minimal, or at least can be minimised by taking the fairly simple
precautions of using
generic stationary, print the content using standard fonts on a common
model of
printer, and random choice of post box to send the letter on its way.)
Some
printers, unfortunately, embed subtle identifying information in their
output.
4:42 p.m.
On Mon, 4 May 2015 03:09:46 PM Rohan McLeod wrote:
Russell,
both these seem to refer exclusively to laser-printers;
a quick google didn't seem to find similar issues with ink-jets;
absence of evidence, is evidence of absence ? :-)
Ink jets might be a safer option as something which is of unknown security is
probably a better option than something that is proven to be insecure. But if
there were consequences that matter I wouldn't trust them.
One benefit of those secure drop-box services is that it eliminates the issues
of tracing printers, paper, etc.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
1 May
1 May
noon
New subject: How feasible are secure drop-boxes for "IT naive whistleblowers" ?
On 30/04/15 22:05, Rohan McLeod wrote:
Russell Coker wrote:
tor/tails is currently the best option for a
"naive" user to become
anonymous it has its problems but its the best we currently have.
(low-latency anonymity is a hard problem or actually anonymity in
general is a hard problem when facing a state actor )
On Wed, 29 Apr 2015 04:39:01 AM Andrew McGlashan
wrote:
Reading these links the technology seems pretty much the same ie.
using a secure anonymous brouser ( Tor) to;
access an otherwise invisible website.The problem / possibility which
I was hoping to highlight by referencing
"ombudsmen" was the much wider appllication.of such technology beyond
merely protecting newspaper sources;
eg. Police internal affairs; oversight of intelligence organizations,
public scrutiny of large commercial organizations, etc.
1/ The first problem is does this technology actually guarantee the
anonymity of the whistleblower ?; On 28/04/2015 1:43 PM, Rohan McLeod wrote:
> ......snip But it did prompt the question suppose an ombudsman
> wanted to set up a secure
> drop box for "IT-naive whistleblowers", is it feasible ? and how could
> the whistleblower be certain
> of that anonymity ?
>
> http://www.thesun.co.uk/sol/homepage/news/6429126/The-Sun-Whistleblower-C
>
> harter.html
Rather amusing to see a Murdoch paper railing against phone
hacking.
They had
an 'important scoop about cabinet minister Andrew Mitchell calling cops
“f***ing plebs”'. Seriously? We have lies about multiple wars, and
lots of
other serious issues and a profane MP is an "important scoop"?
That said it's good that the publish information about using Tor, the
people
who read The Sun aren't going to be attending LUG meetings etc so
it's their
best chance to learn about such things.
I agree that the New Yorker is probably a better option in most
cases. But if
you have evidence of a dodgy MP doing something stupid that a tabloid
can
harass them about then The Sun is a good option.
2/ How can an 'IT naive' whistleblower be
certain of this ?
they would need to do a little research. the only good thing the
.au
govs data retention policy has achieved is it has made a lot of regular
"naive" users at least aware of the current options.
because one can see in the case of Edward Snowden and
the tragic case
of Chelsea Elizabeth Manning;
(born Bradley Edward Manning) these people are actually putting their
lives on the line
Ed outed himself by choice for his reasons.
chelsea outed herself by telling a a person she really shouldnt have
told what she did. in her case i really think she would have remained
anonymous had she had kept quiet.
3/ If it does; is it accessible to IT naive sources because apart from
the question of ease of use one doesn't,
want to provide even this information about a whistleblower.
ideally you wouldnt
want one 2 one this information over open channels,
but have a how to access on a public site someplace so you are not
flagging them. Currently using your use case of police corruption if
they called or emailed the PIC they are potentially already outed due to
data retention. hence it would be optimal to have a how to give
anonymous tips in a very public place.
4/ A second problem, should the technology actually allow the
possibility of secure anonymous dropboxes/ suggestion boxes;
is their use by 'black-hats'; to use the example of Police Internal
Affairs corrupt officers or criminals could
use the system to safely spread disinformation. This suggests the
information from such drop-boxes could never be used ,
in a court of law although it could reference information that can.
eg a police department was supposed to have destroyed certain files
and hadn't
dropboxes would normally be more like an "anonymous tip from a payphone"
that would lead to verifiable data that could be used in court. not the
be all and end all of a case.
regards Rohan McLeod
_______________________________________________
luv-talk mailing list
luv-talk(a)luv.asn.au
http://lists.luv.asn.au/listinfo/luv-talk
2 May
2 May
9:46 a.m.
New subject: How feasible are secure drop-boxes for "IT naive whistleblowers" ?
nic <nic(a)404ed.org> wrote:
dropboxes would normally be more like an
"anonymous tip from a payphone"
that would lead to verifiable data that could be used in court. not the be
all and end all of a case.
Yes, and this is important to remember. Obviously, the organization which runs
the dropbox needs to verify the information carefully and take appropriate
action.
It's also worth bearing in mind that some countries have laws in place
designed to protect the interests of whistleblowers. This isn't my area of
expertise, and I suspect that some of the protections are more effective than
others. I don't know what the laws cover, e.g., whether it's only
public-sector issues or also the private sector Obviously, if it's a criminal
matter reported to the police, then issues of witness protection arise, which
can likewise be complex.
2888
days inactive
2894
days old
12 comments
6 participants
participants (6)
-
Andrew McGlashan -
Jason White -
Morrie Wyatt -
nic -
Rohan McLeod -
Russell Coker