Why does GlobaLeaks exists? How does it work? Who will use it? How can you hack on it? Join GlobaLeaks! # ./startglobaleaks

1. GlobaLeaks
The Open Whistleblowing Framework
Sunday, September 4, 2011

2. Agenda
• Why does GlobaLeaks exists?
• How does it work?
• Who will use it?
• How can you hack on it? Join GlobaLeaks!
• # ./startglobaleaks
Sunday, September 4, 2011

3. ARG*:
GlobaLeaks Organization
• There is no hierarchy of power
• No Official Role
• Every member of GlobaLeaks is A Random
GlobaLeaks Contributor|Developer|
Spokesperson|Advocate
Sunday, September 4, 2011

4. Why does GlobaLeaks
exists
Why we want to change the world into a better place
Sunday, September 4, 2011

5. Motivations
• We wish to make this world a better place
• We strive to increase transparency and
accountability in our society
Sunday, September 4, 2011

6. Existing Solutions
• The existing software lacked basic privacy-
aware (anonymity) and security features
(encryption).
• Existing projects are less open that they
want to make people believe.
• Only commercial software or outsourced
WhistleBlowing services
Sunday, September 4, 2011

7. Research on WB
• We started a research a
research on Whistleblowing
on Dec 2010
https://leakdirectory.org
SHA Fingerprint:
2F 78 1A E7 34 32 44 35 1D 68 6A DE B7 83 58 F6 11 41 BC E0
Sunday, September 4, 2011

8. The WB ecosystem
Sunday, September 4, 2011

9. So what’s
Whistleblowing?
• A whistleblower is somebody that informs
of illicit activity.
• Activates citizens in their own local politics
• Activate people in their global view
Sunday, September 4, 2011

10. Active citizenship
“... which of two common types of character,
for the general good of humanity, it is most
desirable should predominate — the active, or
the passive type; that which struggles against
evils, or that which endures them; that which
bends to circumstances, or that which
endeavours to make circumstances bend to
itself.” John Stuart Mill, "Representative
Government" (1869)
Sunday, September 4, 2011

11. Transparency and
Accountability
• People should start demanding
transparency and enforcing it with
GlobaLeaks.
• Corporations and governments will
understand the need to be more
transparent
Sunday, September 4, 2011

12. How GlobaLeaks
works
How we plan to change the World
Sunday, September 4, 2011

13. The actors involved in
GlobaLeaks
• The Whistleblower
• The Targets
• The Node Administrator
Sunday, September 4, 2011

14. Whistleblower
• An Active citizen that is aware of some
malpractice and wrongdoing
• She/He will notify the GL node of such
information
Sunday, September 4, 2011

15. Targets
• She/He is the person responsible for
analyzing the material
• No consent
• Diversified actors as incentive
Sunday, September 4, 2011

16. Node Administrator
• The person running GlobaLeaks software
• Choose the target list
• Choose the goals and objective of ther
activities
• Behave depending on the context and goals
Sunday, September 4, 2011

17. Interaction
Audience
WhistleBlower Submission
Output
pre
NGO ss
download
Node
Administrator
Targets
node
• the node
administrator notification
select a list of
targets • A Tulip is created
Sunday, September 4, 2011

18. Notification (TULIP)
• Temporary Unique Link
Information Provider
• The means of
communications
between the target and
WhistleBlower
Sunday, September 4, 2011

19. TULIP
• Expires after a fixed amount of downloads
and time
• Is unique to every target/material
• The data can be stored inside a flexible and
configurable container (see local storage,
FTP, Dropbox,Tahoe-LAFS, etc.)
Sunday, September 4, 2011

20. TULIP notification
• Flexible and expandable notification system
• email, twitter, facebook, SCP, ticketing
system
Sunday, September 4, 2011

21. TULIP receipt
Sunday, September 4, 2011

22. GlobaLeaks anonymity
• Tor Hidden Services for pubblishing
• Protection of WhistleBlower and Node
maintainer
• Tor client for notifications
Sunday, September 4, 2011

23. GlobaLeaks security
• Authentication
• TULIP based authentication
• optional password
• Encryption (optional)
• ZIP AES, PGP container
• Applies to data and notification
• Security
• optional metadata cleanup facilities (MAT)
Sunday, September 4, 2011

24. Target - Whistleblower
interaction
• Send and receive comments
• WhistleBlower is able to upload more
material regarding a submission
• Secure JS based chat system?
Sunday, September 4, 2011

25. Who will use
GlobaLeaks
Different ways of using GlobaLeaks...
...The Swiss Army Knife of Whistleblowing
Sunday, September 4, 2011

26. Media
• Media outlets, Magazine and Journalism
associations can setup a WB interface
• Collects Anonymous report by default
• Two real world use cases
Sunday, September 4, 2011

27. Transparency Activism (1)
• NGO and informal activism organisations
• They will promote the GL node
• They will only promote the GL node and
others will analyze the data
• Advocacy on the importance of
Transparency and accountability
• Corruption spotting
Sunday, September 4, 2011

28. Transparency Activism (II)
• Break the three monkey principle
Sunday, September 4, 2011

29. Private Corporations
• Important tool to be integrated within the
corporate organizational model
• Typically managed by internal audit
• Accountability mandated by the law
• Sarbanes-Oxley Act (USA)
• Dlgs 231 (Italy)
Sunday, September 4, 2011

30. Public Agencies
• Internal and external public WB services
• USA IRS, US SEC, EU Antitrust
• Involve citizens into spotting tax evasion,
market manipulation, corruption,
malpractice in health and environment
Sunday, September 4, 2011

31. Ways to publish a
GlobaLeaks Site
Different ways of bringing online a GlobaLeaks site
depending on how you want to use it
Sunday, September 4, 2011

32. Pure Hidden Service
• Pros
• Submission is highly secure.
• Does not rely on legacy technologies such as
SSL.
• DDOS protected.
• Location of every network entity protected.
• Requires to setup only one device.
• Cons
• Submitters must use a Tor client.
Sunday, September 4, 2011

33. Hybrid: HS + tor2web
• Pros
• Location of the backend storage server
protected.
• Backend DDOS protected.
• Does not require clients to install any
software except a browser.
• Cons
• Relies on legacy technology such as SSL.
• The tor2web node can be targeted by a
DDOS or SSL man in the middle.
Sunday, September 4, 2011

34. Web only solution
• Pros
• Does not require clients to install any
software except a browser.
• Requires to setup only one device.
• Cons
• Relies on legacy technology such as SSL.
• The location of the server is disclosed.
• It can be targeted by DDOS attacks and
MITM.
• One single point of failure.
Sunday, September 4, 2011

35. WTF!?
... Or, how will we change the world.
Sunday, September 4, 2011

36. The Tulip movement
• The WB gives TULIPs
out to targets
• This is a gift to
humanity
• TULIP is also used as an
acronym in Calvinism
• Flower power leads to
open and transparent
society.
Sunday, September 4, 2011

37. How can you hack on
it ?
Practical way to start hacking on GlobaLeaks, have lots
of fun, drink lots of wine and taste good Italian food
Sunday, September 4, 2011

38. Launchpad and Bazaar
• Seif, hellais bitch, recommended it, but it’s a bit of PITA.
• send him emails for help on bzr
(seif@globaleaks.org)
• Install bazaar, is the versioning system
• register your user in http://lauchpad.net
• we’re http://launchpad.net/globaleaks
• check the blueprints:
https://blueprints.launchpad.net/globaleaks
Sunday, September 4, 2011

39. Technologies
• Python
• web2py (http:///web2py.org/book)
• MVC model
• Secure by default against web attacks
• Object Oriented
Sunday, September 4, 2011

40. Delivery
• Self contained .exe
• Self contained .app
• Drag and drop install experience
• Even non techie people will run it.
Sunday, September 4, 2011

41. and now...
Sunday, September 4, 2011

42. brace yourselves.
Sunday, September 4, 2011

43. # ./startglobaleaks
Sunday, September 4, 2011

44. Questions?
Sunday, September 4, 2011