BritiLeaks false start

From LeakDirectory

Jump to: navigation, search

The original BritiLeaks.org website made so many potentially critical anonymity and security mistakes that it has now, thankfully, been replaced by what should be a much better infrastructure when it officially re-launches:

Current BritiLeaks website notes and analysis

Our notes and comments on the original website will be preserved here below, to educate potential whistleblowers and whistleblower site operators about some mistakes to avoid



Contents

General Notes

Our Mission Statement:

BritiLeaks.org strives to be the most recognised media body in the UK that deals specifically with leaked information that alleges corruption, wrong-doing, lies, deceit etc.

Our number one aim is to get sensitive information to the public whilst respecting and maintaining the privacy of our source. We do this by purposely not knowing the source of our disclosure from the very beginning and taking measures to make sure the traceability of our source is almost impossible.

We believe that the British public, and humanity at large, deserve nothing more than the truth itself. We will stop at nothing to accomplish this.

Could this be a Honeypot to spy on potential whistleblowers ?

It is utterly irresponsible to be already soliciting both whistleblower leaks and volunteers, without providing any anonymity or security whatsoever on the BritiLeaks.org / BritiLeaks.co.uk website.

The weebly.com web pages are also currently "web bugged" through Quantserve

The use of the britleaks@hotmail.co.uk email address means that the UK authorities can obtain the Communications Traffic Data of any correspondents, without any warrant or court order.

They have now changed to britileaks@riseup.net, which is no more "secure" from a whistleblower's point of view.

This interview gives a few more details and vague promises, but no compelling reason for whistleblowers or volunteers to trust them rather than their rivals

http://www.liberte-info.net/interviews/britileaks.html

Update 17th July 2011

"Briti McLeaky" now say that they are not yet soliciting any leaks until they have some anonymity and security systems in place.

Update 23rd July 2011

1) They have now added Google Analytics tracking of every visitor to their britileaks.weebly.com free webspace

They are now betraying the details of every potential volunteer and whistleblower to at least two US commercial web tracking organisations and therefore also the US Government.

This is totally unacceptable for a website which claims to protect the anonymity of its sources and volunteers.

2) It is hard to think of an example of a more incompetent "publication" of a public PGP Encryption Key - it does not actually belong to them and they do not have access to the Private Key at all!

Perhaps they think that if you simply attach the Public Key block to an email, it will somehow magically encrypt it ?

Update 2nd August 2011

Britileaks.org have now removed the link to the PGP Key (PGP ID = 1A3F797B ) which they have never controlled, after 10 days of passing it off as their own.

Britileaks.org have now made several Twitter promises of a new website, with a "Secure Submission" system - it does not need to be very secure to be a vast improvement over the current one.

You would need to have been following their twitter feed to know that they are planning to launch a new "secure" website. This is not obvious to search engine directed visitors to the current website.

Contact Details

website
http://www.BritiLeaks.org
Press Enquiries
email: was britileaks@hotmail.co.uk now britileaks@riseup.net
General Enquiries
telephone: none
fax: none
email address: was britileaks@hotmail.co.uk now britileaks@riseup.net

source: http://britileaks.weebly.com/

Postal Address:

Social Networking publicity

Twitter

https://twitter.com/#!/britileaks

FaceBook

Blog / RSS

Financial Donation methods

No

Currently accepting submissions of whistleblower leaks ?

Yes ! even though they have not bothered to secure their website or email etc. at all.

As of 17 July 2011, they are no longer soliciting Leaks, just Volunteer and Media contacts, for now.


Planned Submission system launch date ?

Restrictive legal Terms & Conditions

Practical Advice on preserving Whistleblower Anonymity

No

Leak Submission Encryption

None

Digital Certificate fingerprints published on their website:

No

Qualsys SSLLabs SSL Server Test rating:

Not applicable

PGP Public Encryption Key

No !

They really have no clue about PGP at all.

On 21st July 2011 they published

http://britileaks.weebly.com/public-key.html

The display of this PGP Key block is mangled by the weebly.com content management system

They should have used the <PRE> and </PRE> HTML tags to display the block correctly and, ideally, should also have published it as a link to a simple .txt or .asc text file on their own website / webspace.

This problem also affected, say, the Filtradas whistleblower website, but they have now fixed this.

As a backup to provide resilience against denial of service attacks or legal or illegal censorship of the main website, it is a good idea to publish the public PGP Key to a PGP Key Server e.g. like this

http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=vindex&search=britileaks&fingerprint=on

pub 2048R/1A3F797B 2011-07-17 Fingerprint=7844 9D79 1A3F 6071 A481 279B B790 7961 1A3F 797B

uid BritiLeaks contact (http://BritiLeaks.org https://twitter.com/BritiLeaks) <britileaks@riseup.net>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.1

mQENBE4isCkBCADL527HSC6Rlfg4j90RDZgZxjenjXe4ZmDGiO2Cdn1fAb3KGnaQmTvxr1Iz
FUp9tPsAzTrayA0f6OHlEfpUneihnM0zucK65c0gFgebA87QaM8WL3+4o6NbCkXqB1AfAAtn
tHwxWxZ8IjmruIARWGtPbFCQ521/XVje1HGXS/Qc5umOQKI1jjB8s7Fx+J9XZqHjCXUM3z1/
wcPaFWtZfLJIr8RV3pbNklPaqPX8h9/lD/sEyep692S4nAnnHC88rBFhGZCPkD5HnF+TJkgf
4NatDtcTjtsIZLyU2clYhKBrZ/Nl45mmysk7BclwiZf+kldDXJRaoQAYboR//eBsmRaHABEB
AAG0YUJyaXRpTGVha3MgY29udGFjdCAoaHR0cDovL0JyaXRpTGVha3Mub3JnIGh0dHBzOi8v
dHdpdHRlci5jb20vQnJpdGlMZWFrcykgPGJyaXRpbGVha3NAcmlzZXVwLm5ldD6JAT4EEwEC
ACgFAk4isCkCGwMFCQPCZwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELeQeWEaP3l7
oR0H/0hf76Pl+snCxIS6kzdYvvTys2myH9yF0Prdt1aUF4VhiBBf/ITE4shKkESAG3kzPzHQ
7BBCkVz3NymI3wOdCMPRpjFAukY288/IrpnpgpOqQ2kyHeO4YLRxaveCAIWZs/gxPeQqmRh0
+ZBjVh3s77m9xxdC4VaxZXzDMsetpWkSHqPJYwoNes37z3lqNr+3PzpvSxSpw9iwsaBA34qg
uDQv1ZL/IZv69fFDB55OohkWwF+stsE8Ryjvb+Q1POzSmOuyQHG6GHdfADE5QfONrpNLuVbJ
89ry/nYEvYnZoW8MDuELVuDGiYd5Sz+1dwpVGdmtGucnf7nVLD3AJje9RGuJARUDBRBOIrHA
mja57sShJi8BAoewB/9no/8NMgpVY8zGFjfBvVJ1PPbQc+4GtZRm+WlG6/yzwmmDYvOs11wZ
XdLcwV4CslyURXa9raavn53Pd2GrckIOq8Qu31vy/2YOoMV0wjmGc8FV5eM6MBV8OyJ1UxIc
LbMUJYCyiHBpGE2fON9Jb0tWKume/rtGU/n2WtzpnIl3ua2gEwoLfjRNMu8nGImjlRYkM3ln
Sd1VfRBVhVqJpnxbO1k/yve3VXU++jr1x7VTrbemf3hZrIqZnVI1ZKsHXBekM+3tidJP8TRm
wPNjXDA8aWgS7qp0uU0saNRucGxXE+nhbd9WooLfodQYFmAvXR5o37C1TeCB/+RlqYhph7v7
uQENBE4isCkBCAC9ijKMN9XLPNgdnNCrWLDXfMx8XVUnAoDO7N3g4JTQTUdYw5bF04E+zp93
S97MsHMY7vnCfM2YTMIRcI3I/DCXYDwv+jPwJxe+Iy3TtRwn27O/Ss9FwDZneABs8TZge/gW
dqNp4W9fPX5LArVCnAVgTgvJmuCqgERcCfkpT4oYokZSOTNdi0O9D3a5+D4kGpHiyRPyFwkY
c9epwL4FFdaRjJBvhpDllyR3jRiNjdOjwmr+V4sMG93gtGAJYZbGYVJCO4Vqh9te6y2K+h68
zycJtFQ6a2o79HwvswodXMN20P0lgcNy8LIRma9rbNMmIFpKjmcu4e/X6siVCottaPWPABEB
AAGJASUEGAECAA8FAk4isCkCGwwFCQPCZwAACgkQt5B5YRo/eXufXwgAsoLo/oCJfHdITmxg
3w4pL3lXwgYrcjJTeFHwH4daKNjWA3qxpoaLEy0+SaODsjTmr7rsCM42L1rwK4yVihsV2aH/
SGetpvpigO6SYZR9/6gHuE4bcNpSuTRxXMoGPcAsgyHGFZs8kO66eXlVuM4L+j0scaLpkHBU
L26y0B3I2KK3yvLNeHAFtpYI1wqR2bFxCnio27M09VyVr7poAfzqMNxieA29iQWEkTxfMBjV
DCmV7lx5MHDk5tRc+xZL9fMu83hsMlruVfrxziJ7s/IZi9XcJIgJ35YQGKeHqfP/v77VgDbe
YXb8FAbsRvC0EfhQJaTeHNLjO1qF8uwfDdiaCA==
=HBn4
-----END PGP PUBLIC KEY BLOCK-----

N.B. Anybody can publish a PGP Key to any public PGP Keyserver, so they are useful as backups, but they cannot be the only method of establishing trust in the validity of a particular PGP key.

This is the same PGP public Key block which BritiLeaks.org have published on their website and it mentions the britileaks@riseup.com etc. details, but this is not their PGP key at all !

BritiLeaks.org do not have access to the corresponding Private Key so anybody who does succeed in unpicking the misplaced carriage Returns / Linefeeds etc. from their web page, will not be able to send them anything that they can de-crypt.

Whistleblower websites should publish the PGP ID and / or PGP Fingerprints and the Expiry Date details on the website itself, in addition to publishing it to PGP Keyservers and elsewhere.

TOR Hidden Service

No

I2P eepsite

No

PrivacyBox.de

No

Hushmail Secure Form

No

Leak Submission Anonymity

TOR users blocked from access

No

3rd Party or persistent tracking cookies or graphics

Yes !

Quantserve Javascript and "web bug" graphics betray most visitors' web browser and IP address details to this commercial web tracking company in the USA

http://pixel.quantserve.com/pixel/p-0dYLvhSGGqUWo.gif

With their new graphics logo, launched on 21st July 2011, they seem to have enabled Google Analytics on their free britleaks.weebly.com website.

Google Analytics account: UA-7870337-1

They are now betraying the details of every potential volunteer and whistleblower to at least two US commercial web tracking organisations and therefore also the US Government.

This is totally unacceptable for a website which claims to protect the anonymity of its sources and volunteers.

CAPTCHA graphics generated from another website e.g. Google Re-Captcha

No

Mixed mode non-SSL graphics or style sheets

No

Embedded video clips etc. from another website e.g. YouTube

No

Flash file uploader class

No

Communications / Acknowledgement back to the whistleblower via the website

Acknowledgement of receipt of information

e.g. file upload success indicator - has the leak message or upload actually been received successfully ?

No

Leak analysis work flow status reporting

e.g. Has anyone actually looked at what the whistleblower has submitted ?

No

Private message box

e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.

No

Domain Name Resilience

Domain Name Registrar

www.britileaks.org [208.64.126.193] is in the United States of America (USA)


www.britileaks.co.uk [98.124.199.1] is in the United States of America (USA)


USA based registrar Enom Inc. http://www.enom.com

Multiple Internet Service Providers, in different legal jurisdictions ?

No

Domain Name Server(s) & jurisdiction(s)

All in the USA legal jurisdiction

BritiLeaks.org

dns1.name-services.com 98.124.192.1

dns2.name-services.com 98.124.197.1

dns3.name-services.com 98.124.193.1

dns4.name-services.com 98.124.194.1

dns5.name-services.com 98.124.196.1

BritiLeaks.co.uk

dns1.name-services.com 98.124.192.1

dns2.name-services.com 98.124.197.1

dns3.name-services.com 98.124.193.1

dns4.name-services.com 98.124.194.1

dns5.name-services.com 98.124.196.1

Web Server hosting jurisdiction(s)

http://britileaks.weebly.com/

britileaks.weebly.com [199.34.228.106] is in the United States of America(USA)

Alternate Domain Name aliases

http://www.BritiLeaks.org

http://www.BritiLeaks.co.uk


Actual Physical Mirrors of the website:

No

Content officially available via BitTorrent etc P2P etc.

No

Personal tools