Wednesday, January 5, 2011

Create your own Wikileaks

The success of WikiLeaks has encouraged many people to start similar projects. Their main motive is to expose wrongdoing, either at the local or national level.
But it’s more complicated than you might think to set up this kind of website. There are three parties involved: the source, the website and the journalist. Each needs the others, but is also independent. Below are a number of tips and suggestions for a DIY WikiLeaks. But be aware of what you’re getting into. It’s like chess: you always have to think a few moves ahead. And never lose sight of your own safety.

What’s the safest way for sources to supply documents?

There are different degrees of risk attached to different types of information. Even a simple letter can be traced back to the location it was posted from. Bear in mind that, if it’s intercepted, a letter might carry fingerprints, and the post office may have security cameras. Digitise the documents and destroy the originals. If the authenticity of the documents comes into question, there are plenty of forensic possibilities with the digital version.

How can sources prevent their IP addresses from being recorded?

An internet cafe is an option, but it’s also a risk. Other users can be pressurised into revealing information about you, or there might be security cameras. It’s not our preferred option. A Tor network (originally an abbreviation of ‘The Onion Router’) is a possible solution. Tor is an encryption system developed to enable anonymous internet traffic. The technique prevents eavesdroppers from seeing that any communication is taking place, let alone with whom. The software is free.
Alternatively you could use a VPN (Virtual Private Network) or add Open Proxies abroad.

How do you set up a WikiLeaks site?

The technology is the easy part - what you have to dig a little deeper for are the ideals, willpower and nerve. Plus people who support and believe in the project, and also believe in the possibility of change.

Is it an advantage or a disadvantage if the people involved know each other?

View the team around a whistle-blowing site as a movement made up of different cores. Work goes more smoothly if you have a few familiar people around. But the fewer people who know each other the better. It’s not a social club. Make your friends at the pub.

How safe is it for a WikiLeaks team to communicate using chat channels?

It might be safe. Internet Relay Chat (IRC) is secure enough if you work via other servers and bouncers (BNC). But be on your guard for the unexpected. Here too a Tor network is safer.

How can the WikiLeaks team guarantee its sources’ anonymity?

• Servers should never make log files.

• Remove all metadata from files you receive – either automatically or as quickly as possible (metadata may include information on who created the document and where it was sent from, and is not always visible).

• Files should then be encrypted or taken offline as soon as possible, or constantly transferred from one storage location to another.
If you take all of these precautions, even members within the leaks site will be unable to trace the source.

How can the WikiLeaks team ensure its servers are secure?

Some important standard procedures:
• Use an up-to-date operating system on the server

• Use the latest version of crucial software such as Apache

• Work via an SSH and turn off things like FTP and direct admin

• Never ever work from the root account

• Make sure you have a good firewall

• Use multiple server locations
It’s often easier for governments to block a domain name than shut down an entire server. Locate your server in a country where legislation makes it virtually impossible to confiscate it. Host your server yourself or know who’s hosting it.


VPN: Via a VPN (Virtual Private Network) you can create a secure network within an existing one – like the internet. VPN is a solution if you want to send data via an internal network.

A website can be partially secured via an SSL/TLS connection (Secure Sockets Layer and the improved Transport Layer Security). With authentication you can control access to a servers’ secure connection. You can recognise an SSL certificate by the ‘s’ on the end of http(s). Bear in mind that in some countries data encryption is illegal. Check the law where you are.

Where is it safe to locate the servers?

The European Union’s Data Retention Directive requires providers to store data for at least six months. Check how the directive is applied in your country.
There are fewer and fewer places you can safely locate a server. The law is also changing fast. As the number of WikiLeaks projects increases, the danger is that more and more countries will amend their legislation.
France, however, is adopting a tolerant approach towards WikiLeaks.

What should the WikiLeaks team do with the information it receives?

It’s not wise to put leaked information straight online. There’s a risk that it may not be relevant and you could harm people unintentionally. The data could be corrupted by irrelevant information and spam.

Step 1:

Receive the documents. Go through them in a first selection round. If in doubt, let a document go through. You can reject an instruction manual, for example, but you should keep it if it has unusual page numbering. Don’t look at the content too much – don’t be distracted by your own opinion.

Step 2:

Write a three-line summary of each document and add it to the file. Ask sources (via the website) in advance to write a brief explanation. Save the explanation and the summary together.

Step 3:

If you know journalists who are willing and brave enough to publish the information, you can show them the summaries. If not, try to make contact with one or more international organisations, such as human rights groups or trade unions. Don’t send the whole team to see them, choose just a few delegates.

If you really can’t find anyone else to do it, you’ll have to write something yourself and publish it online. However, this is a last resort.

Step 4:

A journalist checks the documents for their authenticity and value according to the generally accepted standards of journalism.

If the team writes the piece themselves, the same standards apply. Check the facts, approach both sides for comment, and write the article on the basis of fact. Your own opinion is irrelevant.

Step 5:

Agree on a date for publication with the journalist. Only release the original documents after publication. Then readers can make up their own minds on the facts and judge their significance.

Once the website is on line, what does the WikiLeaks team need to be prepared for?

Recent weeks have seen repeated DDoS attacks. You can imagine a DDoS as a queue in a store made up of customers who don’t want to buy anything, preventing the real customers from getting to the front. DDoS attacks are hard to combat. Attempts to defend against them simply provoke fresh tactics.

There are a few possible solutions:

• Increase the bandwidth (‘open more tills’)

• Ensure server redundancy and scalability (‘Anycast’)

• Change IP address regularly

How can you tell whether the website is secure enough?

Don't be complacent. Invite people you trust to try and hack or disable the website. Nothing teaches you more than a hacked website. Learn from errors you made and improve the site's reliability and safety.

How does the WikiLeaks team keep itself out of harm’s way?

Never forget the government has experts too. Always think one step ahead. Keep abreast of technical and legal developments.
Be a movement, not an organisation. Then you can carry on if you lose one link in the chain.
Stay in control, but to some degree allow the process to run its course.
Maintain mutual anonymity. Divide tasks. External contacts shouldn’t know programmers and vice versa. Always look out for your own safety.

source: RNW

No comments: