BritiLeaks

From LeakDirectory

Jump to: navigation, search

Contents

General Notes

The original BritiLeaks.org website made so many anonymity and security errors that it has now, thankfully, been replaced by a much better website (still to be launched).

Our notes and analyses of the original false start website, to educate potential whistleblowers and whistleblower website operators about some of the mistakes to avoid can still be accessed via:

BritiLeaks_false_start


Update 10 June 2012 - use of CloudFlare content delivery network

Still no launch or publication of any whistleblower leaks, or of the promised privacy and acceptable use policy by BritiLeaks.org.

They seem to be experimenting with the CloudFlare content delivery network, which whilst providing extra bandwidth and resistance to Denial of Service attacks. Rather like Google, CloudFlare also seems to treat some Tor Exit Nodes as "suspicious" or "virus infected" (some of them do get abused) even when your local computer is not. This can lead to the triggering of a CAPTCHA page which is full of third party tracking graphics, which betray the visitors' IP address and web browser details etc. - not acceptable for whistleblower source anonymity protection.

If this does happen, you should break your current Tor connection and Re-Connect via a different Tor Exit Node,ideally after a plausibly deniable delay. Check the IP address first before going to the whistleblower website e.g. by going to the Home page configured by default in the Tor Browser Bundle.

Alternatively you can simply use the TOR hidden services which are not protected by CloudFlare.

Update 19 May 2012

Brileaks launches an anonymous support desk system: https://twitter.com/#!/BritileakTech/status/203840309505966081.

On date 19 May 2012 (some minutes after it's launch) a persistent XSS vulnerability has been reported on the page for creation of a new ticket: https://britileaks.com/support/new.php. Within 25 minutes the issue was resolved.

No SQL injections have been found in the system.


Update 05 April 2012

Still not yet launched, but they have been "open alpha" testing their https://SecureSubmissionSystem.com website.

Still plenty of spelling mistakes (dyslexia ?) and text copied straight from the defunct WikiLeaks submission system.

Their promised detailed Policy / Disclaimer about exactly what is and is not acceptable for publication, which should also be gathering feedback from potential users of the website, is still secret.

SSL Site

Their site can be accessed via SSL now: https://britileaks.com:444/ Note the 444, this is required as the default port 443 running SecureSubmissionSystem.com

Oh; forgot to mention we registered britileaks.com, redirects to SSL (SNI is a bitch).

Update 3rd January 2012

On BritiLeaks Tumblr they have written the following:

I would like to make a few notes on Leak Directory.
A) Their Wiki is full of spam, a sign of truly bad administration: e.g. http://leakdirectory.org/index.php?title=Special%3ASearch&search=drug&go=Go 
Mirrored:
http://www.uploadscreenshot.com/image/666673/4459096
http://www.uploadscreenshot.com/image/666695/2030786
B) They utilise a exploitable version of MediaWiki:
http://leakdirectory.org/index.php/Special:Version
Mirror: http://www.uploadscreenshot.com/image/666715/4358315
http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000097.html
C) They have criticised us for loading Twitter graphics, from Twitter; yet they, in an attempt to prevent spam load use Recaptcha (from Google’s servers). 
http://www.uploadscreenshot.com/image/666720/3378757
D) Their SSL configuration is absolutely awful.
They criticise our smallest, inane mistakes; it would be interesting to see how they would react if we did any such things. Just to note; we are not against or opposed to LeakDirectory (in fact we been using some elements of our LeakDirectory page to find, and resolve issues), just find the above interesting.

http://britileaks.tumblr.com/post/15239051302/a-few-brief-notes-on-leakdirectory
LeakDirectory responded on Twitter:

@BritileakTech Thanks for notes. Please consider that LeakDirectory it's just a public wiki with anonymous editing. We don't handle *leaks

Update 1st January 2012 Tor Exit Node

UPDATE: BritiLeaks have stated they will not sniff any traffic from their exit node.

https://twitter.com/#!/BritileakTech/status/153504480720199680

@BritileakTech BritiLeaks Techies

As a few of you have noticed we are also a Tor exit node as securesubmissionsystem.com as a rather crude way to hide trails further.

3:54 PM, Jan 1st 2012

One of the accusations against WikiLeaks.org was that their initial cache of alleged whistleblower leak documents was the result of unethically sniffing the traffic from Tor Exit nodes under their, or their associates control.

BritiLeaks.org need to clearly state that they will not do this.

Running a Tor Exit node should be welcomed by other whistleblowing websites making use of Tor.

However, it does increase the chances of legal subpoenas, complaints to and blocking by ISPs or by Government or corporate content filtering systems, which may adversely affect the number of people who can access https://securesubmissionsystem.com in order to submit a whistleblower leak.

There may be some impractical anonymity correlation attacks (by the theoretical Global Passive Adversary) against the Tor Hidden Services if they are being run on the same machine as the Tor Exit node.

The BRITILEAKS [79.134.255.45] Tor Exit node is running the old, critically unpatched version 0.2.2.34 version of the software

Update 1st January 2012 Disclaimer / Publication Policy text

A draft of the promised Disclaimer has been published:

This is quite ambitious in scope and many more detailed questions will be asked and need to be answered:

Note the apparent Author's name left in the EXIF meta data of this document.



https://securesubmissionsystem.com/downloads/BritiLeaks%20Disclaimer.pdf

BritiLeaks accepts and publishes material that is:

• Of significant; political, ethical, diplomatic or historical value. • Under active censorship, or pressure for its removal, or previously unreleased. • Not be myth, or rumor, or untrue. [sic]

You can see that this section has been influenced by the original WikiLeaks.org promises, which they did not always stick to.

Treatment of sources:

• BritiLeaks will NEVER co-operate with anyone trying to track a sources identity.

• BritiLeaks will NEVER disclose a sources identity.

Can that be trues even if Britileaks.org people are served with legal threats, or are arrested, or if violence is threatened against them or their families ?

• BritiLeaks online submission system makes it impossible for BritiLeaks to know a sources identity.

• BritiLeaks uses laws in many different countries (e.g. Belgium, Sweden, Iceland) to help protect the source.

"a sources identity" should probably have an apostrophe i.e. "a source's identity"

Another bit of WikiLeaks.org influence

Just connecting to the internet in those countries does not guarantee that their journalism protection laws are invoked, if it did, then the North Korean, Chinese and Iranian censorship laws (and death penalties) would also apply equally e.g. you need to be a Registered Journalist in Sweden to take advantage of their press protection laws.


• BritiLeaks submission system is fully encrypted (often with layered encryption).

• BritiLeaks servers do not keep ANY logs about the visitors.

• We format information in such a way that all trails to the source are destroyed; any unredacted versions are destroyed.

What is the redaction / censorship policy, in detail ?

How will BritiLeaks.org check that the whistleblower source is genuine ?

• BritiLeaks follows many protection policies; many are not listed here to protect sources.

These other policies also need to be transparently published and discussed

• BritiLeaks will immediately destroy information about the sources identity if received.

Is this data destruction proof against forensic data recovery, if BritiLeaks.org computers or removable storage media are seized as evidence in a leak investigation or are lost or stolen ?

BritiLeaks will, to the fullest of its ability:

• Protect the source.

• Give the material as much press attention as possible.

• Give the material the biggest impact, politically, socially, and historically.

"as much press attention as possible" means issuing proper Press Releases, establishing face to face relationships with journalists for "exclusive" first access to stories and avoiding Julian Assange style accusations of "betrayal" by the mainstream media.

At the very least BritiPress / BritiLeaks need to provide full email and phone number contact details, official Press release web pages, press and media email subscription lists, RSS feeds etc. and to have credible spokesmen ready to be interviewed ahead of tight publication deadlines. A semi-anonymous Twitter feed as the only method of contact will not achieve this.

• Keep the information available to the public; despite pressure to remove it.

Does that include a promise to keep previously published material online, even when news whistleblower submissions are suspended for various reasons (something which WikiLeaks.org failed to do).

• Defend the material against attacks.

Attacks from whom ? What sort of attacks ?

• Ensure people are not harmed by the release.

This last point needs to be spelled out in detail.

Topics not covered:

Who are the people behind BritiLeaks.org ?

Where does the money come from ?

Why should a whistleblower trust BritiLeaks.org rather than another website (or none at all) ?



Update 1st January 2012

  • The BritiLeaks.org prelaunch home page http://leaks.britileaks.org/prelaunch.php
    • They have now removed the "follow button" graphic images pulled directly from Twitter's webservers, which were handing over all visitors IP address and web browser details to a webserver not under BritiLeaks control - BritLeaks may claim not to hold such logfiles which can be legally or illegally seized, but Twitter etc. certainly do
    • They promise they will be moving their main site to Sweden soon. There are no issues with the Icelandic one.[see http://leakdirectory.org/index.php/Talk:BritiLeaks Discussion page]
    • Disclaimer: https://securesubmissionsystem.com/downloads/BritiLeaks%20Disclaimer.pdf Note the apparent Author's name left in the EXIF meta data of this document.
    • Notes on the submission system are promised also.

    Update 31st December 2011 / 1st January 2012

    UPDATE: BritiLeaks have quickly pulled the browser bundle of line, after a few hours of being online; with this message:

    "The BritiSubmit application was accidentally released, it was meant to be a version for internal testing only. Has been removed."

    https://twitter.com/britileaktech/status/153129730097422336

    An earlier tweet reveals:

    Excuse the sudden change in SecureSubmissionSystem.com; doing some experimenting. https://twitter.com/britileaktech/status/152412689640071168

    Submissions were still not accepted in this period.

    In the directory, a now deleted version of a newer version of the Browser bundle was found. It also contained an encryption application and the bundle could only could connect to the SecureSubmissionSystem using SSL.

    This is another example of how whistleblower websites have to be extremely professional when it comes to software releases and patches, otherwise they risk utterly damaging their credibility and reputation, even before it has gained a critical mass of support, just like the Haystack debacle

    http://www.guardian.co.uk/technology/2010/sep/17/haystack-software-security-concerns


    Previously:

    We strongly advise you use the BritiSubmit tool available at the following links: Mac Windows, if you are able to run it, it will add aditional protection to the system such as the Tor network, on the same page we offer support to whistleblower support. [sic]

    https://securesubmissionsystem.com/downloads/BritiLeaks%20Secure%20Submission%20Bundle%20Mac.zip

    https://securesubmissionsystem.com/downloads/BritiLeaks%20Secure%20Submission%20Bundle%20Windows.zip

    Before being taken offline the "BritiSubmit tool" appears to have been be a badly configured, unacknowledged copy of a recent, but critically vulnerable version of the Tor Browser Bundle.

    https://blog.torproject.org/blog/tor-02235-released-security-patches

    BritiLeaks.org would be better off simply mirroring the latest Tor Browser Bundle software (with Digital Signatures) on their own server and writing, or pointing to, the appropriate setup instructions and anonymity warning caveats.


    However as a positive they have integrated internal Tor bouncing, which will help protect a sources identity; however little. This is similar to what WikiLeaks did prior to their submission system being taken offline. https://twitter.com/britileaktech/status/152525754624786432

    {see the Discussion page for questions about the utility of this feature)

    Update 28th December 2011

    It is now claimed their submission system is ready, and it will be launched alongside their first leak.

    Obviously this "first leak" will not have been submitted publicly through the new submission system (the "chicken and egg" dilemma of all new public websites)

    There does not appear to be any plan for a public beta test of the submission system before launch.

    This Tweet hints that this "first leak" may have something to do with Jemima Khan:

    https://twitter.com/#!/BritiLeaks/status/150989623173185536 
    
    @BritiLeaks Briti McLeaky
    @Jemima_Khan Ms. Khan, We'd like to speak to you at some point in the near future when
    you're free. Merry Christmas, BritiLeaks.org
    
    5:21 PM, Dec 25th 2011
    

    Their SSL technologies have been made even better than they already were, supporting TLS 1.1 and TLS 1.2 alongside many other improvements, such as better Cipher Strength

    This is better than almost all other whistleblowing, official government tipoff, internet banking or e-commerce websites

    N.B. SSL encryption is only part of the toolkit needed to help preserve the anonymity and security of potential or actual whistleblowers or to protect the whistleblowing website infrastructure from legal or illegal attacks.

    The tech team may be supported by MJSAHost mjsa@mjsahost.com

    SecureSubmissionSystem.com teaser screenshot

    N.B. the spelling mistakes and awkward grammar illustrated in this screenshot need to be fixed before launch.

    The Pre-Launch web page now no longer includes any email contacts, only Twitter feeds (i.e. only a single point of failure / target for legal injunctions or subpoenas or censorship):

    http://leaks.britileaks.org/prelaunch.php

    Update 11th December 2011

    The new secure submission system is still promised "in a few days".

    However, BritiLeaks.org have now started mirroring other websites, something which if reciprocated, will strengthen their resistance to legal or illegal censorship.

    The downside is that they have to decide if all of the content of all of the other websites they are mirroring, is acceptable within their (still as yet undisclosed) publishing policy disclaimer.

    http://leaks.britileaks.org/mirrors/

    There also now seems to be sort of parallel Press Release website project, also currently not yet launched, using CloudFlare

    BritiPress @BritiPress

    Sister media organisation of @BritiLeaks.

    Everywhere. · http://britipress.com

    Update 4th September 2011

    BritiLeaks.org have now abandoned their use of http://britileaks.weebly.com free webspace in favour of a new website hosted in Iceland

    ==Welcome to BritiLeaks.== Note: BritiLeaks is nearly ready to launch, we will be online with a advanced secure submission system in a few days.

    BritiLeaks is an originally British based non-profit news organization designed for publishing important news stories around the world;

    The original website seemed to be set to concentrate just on the United Kingdom, they now seem to have world wide ambitions.

    this is based on a whistleblowing interface where we offer a legally and technically protected way for sources to deliver important information to us.

    It will be interesting to see what legal protections they claim to offer.

    Britileaks publishes genuine material that is of political, ethical, diplomatic or historical value, that is unreleased or under active censorship (read our disclaimer for more information) regardless of which country it concerns. This way we can uncover hidden wrong doing by provide real evidence rather than media speculation, and political views that modern media has descended into. We promise maximum impact our releases, as well as keeping the material available and ensuring innocents are not harmed amongst many promises which you can read in our disclaimer.

    BritiLeaks is currently not yet ready for launch, but we are 99% complete.

    We crush corruption.

    The as yet unpublished Disclaimer will need to be analysed carefully

    The old Twitter feed seems to have gone silent:

    https://twitter.com/#!/britileaks

    Briti McLeaky

    @BritiLeaks UK

    Exposing corruption in the UK and Great Britain

    http://www.britileaks.org

    There are two additional feeds:

    https://twitter.com/#!/BritiPress is mentioned on their main site, and possesses the domain "http://britipress.com".

    "Sister media organisation of @BritiLeaks."

    Also there is:

    https://twitter.com/#!/BritileakTech

    BritiLeaks techies.

    @BritileakTech BritiLeaks Tech Dept.

    Tweets from the Britileaks tech team; site updates, recruitment, news, releases.

    http://britileaks.org

    This announces the new updated home page, promising a new secure submissions system

    They seem to be offering two Tor Hidden services

    to the main site

    http://britileaks.org

    http://ip4pmdeqjgjcxtiu.onion

    and to

    https://SecureSubmissionSystem.com

    http://pwi7cqrqep7u7ggg.onion

    Both http://britileaks.org and https://SecureSubmissionSystem.com point to the same server hosted in Iceland

    Contact Details

    website
    http://www.BritiLeaks.org
    Press Enquiries
    email: britileaks@riseup.net
    General Enquiries
    telephone: none
    fax: none
    email address: britileaks@riseup.net

    N.B. the current home page does not provide any such contact details, these are from the old website version(s)

    Postal Address:

    Social Networking publicity

    Twitter

    https://twitter.com/#!/britileaks

    https://twitter.com/#!/BritileakTech

    https://twitter.com/#!/BritiPress

    FaceBook

    No

    Blog / RSS

    No

    Financial Donation methods

    No

    Currently accepting submissions of whistleblower leaks ?

    No

    Planned Submission system launch date ?

    Soon ? (as of 5th April 2012)

    Restrictive legal Terms & Conditions

    No - see the ambitious Disclaimer

    https://securesubmissionsystem.com/downloads/BritiLeaks%20Disclaimer.pdf


    Practical Advice on preserving Whistleblower Anonymity

    Yes

    A few common sense whistleblower anonymity tips from the Centre for Investigative Journalism, advice and screenshots about installing Tor (but the Tor Hidden Service http://pwi7cqrqep7u7ggg.onion seems to be down) , Internet cafes and open Wi-Fi (needs to be expanded) using a 3G data dongle, a (non-functional) Postal submission network (a la WikiLeaks)

    https://securesubmissionsystem.com/submit/

    Leak Submission Encryption

    Digital Certificate fingerprints published on their website:

    Yes, on https://securesubmissionsystem.com

    SHA1: C0 C5 BE 3B D4 0C 8B 32 26 88 A4 42 24 BC 3D 43 0E B2 82 F2

    MD5: 5C A0 48 D3 C8 24 FD 22 2E 6A 90 BD 16 EF 1C EA


    Qualsys SSLLabs SSL Server Test rating:

    https://www.ssllabs.com/ssldb/analyze.html?d=SecureSubmissionSystem.com

    Overall rating: A [98]

    Certificate: 100

    Protocol Support: 95 - Due to their decision to support all TLS protocols, should be perfectly fine.

    Key Exchange: 100

    Cipher Strength: 100

    Issuer: StartCom Ltd.

    Includes Secure Renegotiation, Strict Transport Security and resistance to BEAST man in the middle attacks - i.e. better than most other whistleblower or official government tipoff websites or most internet banking or e-commerce websites

    As @BritleakTech mention on their Twitter stream, the BEAST vulnerability is probably not an issue as they do not currently use cookies on their website.

    PGP Public Encryption Key

    After their disastrous start with publishing a PGP key, they do seem to have finally mastered the use of PGP.

    We will wait to see if the PGP Key we have corresponded with is the one which they publish on the new site.

    TOR Hidden Service

    They seem to be offering two Tor Hidden services

    to the main site

    http://britileaks.org

    http://ip4pmdeqjgjcxtiu.onion

    and to

    https://SecureSubmissionSystem.com

    http://pwi7cqrqep7u7ggg.onion

    I2P eepsite

    No

    PrivacyBox.de

    No

    Hushmail Secure Form

    No

    Leak Submission Anonymity

    TOR users blocked from access

    No

    3rd Party or persistent tracking cookies or graphics

    Yes No

    http://leaks.britileaks.org/prelaunch.php

    They are currently pulling Twitter follow button graphics from Twitter's own webservers, rather than copying the images and serving them locally from their own webserver.

    They have now removed the offending Twitter graphics images


    CAPTCHA graphics generated from another website e.g. Google Re-Captcha

    No

    Mixed mode non-SSL graphics or style sheets

    No

    Embedded video clips etc. from another website e.g. YouTube

    No

    Flash file uploader class

    No

    Communications / Acknowledgement back to the whistleblower via the website

    Acknowledgement of receipt of information

    e.g. file upload success indicator - has the leak message or upload actually been received successfully ?

    Not really

    There is a misspelled and somewhat pretentious Thank You page

    Thank You.

    What you have done today could change the cource of history.

    All we ask of you now is to maintain your annonimity.

    BritiLeaks, powered by you.

    We crush corruption. Powered by MJSAHost.


    Leak analysis work flow status reporting

    e.g. Has anyone actually looked at what the whistleblower has submitted ?

    No

    Private message box

    e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.

    No

    Domain Name Resilience

    Domain Name Registrar

    www.britileaks.org [208.64.126.193] is in the United States of America (USA)


    www.britileaks.co.uk [98.124.199.1] is in the United States of America (USA)

    USA based registrar Enom Inc. http://www.enom.com


    britileaks.info [216.144.245.14] forwards to britileaks.org

    N.B. britileaks.info is potentially very vulnerable to US legalistic censorship as it seems to be a controversial GoDaddy domain

    http://godaddy.com

    SecureSubmissionSystem.com and BritiPress.com are provided by MJSAHost.

    Multiple Internet Service Providers, in different legal jurisdictions ?

    Yes

    Domain Name Server(s) & jurisdiction(s)

    All in the USA legal jurisdiction

    BritiLeaks.org

    dns1.name-services.com 98.124.192.1

    dns2.name-services.com 98.124.197.1

    dns3.name-services.com 98.124.193.1

    dns4.name-services.com 98.124.194.1

    dns5.name-services.com 98.124.196.1

    BritiLeaks.co.uk

    dns1.name-services.com 98.124.192.1

    dns2.name-services.com 98.124.197.1

    dns3.name-services.com 98.124.193.1

    dns4.name-services.com 98.124.194.1

    dns5.name-services.com 98.124.196.1

    BritiLeaks.info

    NS1.MJSAHOST.COM [74.117.238.2]

    NS2.MJSAHOST.COM [74.117.238.3]

    SecureSubmissionSystem.com

    mjsa320374.earth.orderbox-dns.com

    mjsa320374.mars.orderbox-dns.com

    mjsa320374.mercury.orderbox-dns.com

    mjsa320374.venus.orderbox-dns.com

    Web Server hosting jurisdiction(s)

    http://britileaks.org [79.134.255.45]

    and

    https://securesubmissionsystem.com [79.134.255.45]

    (N.B. same IP address)

    are both hosted in Iceland by http://icecell.is

    Alternate Domain Name aliases

    http://www.BritiLeaks.org

    http://www.BritiLeaks.co.uk


    Actual Physical Mirrors of the website:

    No

    Content officially available via BitTorrent etc P2P etc.

    No

    Hosting of Mirrors of other whistleblowing websites

    Yes

    http://leaks.britileaks.org/mirrors/

    Mirrors maybe torrents or direct downloads;

    Current mirrors:

    irishleaks.ie

    wikileaks

    americancensorship.org

    facebook-law-enforcement

    "TPCrawler" by IcyApril (http://leaks.britileaks.org/mirrors/tpcrawler)
Personal tools