OpenLeaks

From LeakDirectory

Jump to: navigation, search

Contents

General Notes

OpenLeaks.org is a current work in progress by former WikiLeaks.org people, including [Domscheit-Berg] with the intention of providing a whistleblowing infrastructure for local whistleblowers and the mainstream media and non-governmental organisations, without the controversy associated with Julian Assange and WikiLeaks.org

They should have much to contribute in terms of computer infrastructure security, anonymity and scalability experience, but their system, like that of Wikileaks.org / WikiLeaks.ch itself, is not currently accepting any whistleblower submissions.

See Andy Greenberg's article:

OpenLeaks Announces A Test Launch, Invites 3,000 Hackers To Attack It

Domscheit-Berg argues that leaking sites’ security measures don’t need to be as tight as WikiLeaks were during Domscheit-Berg’s time with the group – they need to be tighter. Adversaries of leaking like corporations, law enforcement and intelligence, he says, have ramped up their security measures in the wake of WikiLeaks record-breaking breaches. “WikiLeaks appeared out of nowhere,” says Domscheit-Berg. “It cause a lot of new problems no one had thought about before. Now they’ve thought about this whole thing for a bit. The dust has settled. And it will never be as easy again.”

That means facilitating leakers needs to become more systematic and rigorous, Domscheit-Berg says.

Update 05 February 2012

The self signed Digital Certificate for openleaks.org has been allowed to expire on 18th October 2011, which rather casts doubt on whether the project is still active or not in February 2012.

There are Twitter rumours that Daniel Domscheit-Berg has been re-admitted into the Chaos Computer Club, after making it clear that the OpenLeaks.org project is not officially endorsed by CCC i.e. something which almost nobody outside of the CCC bureaucracy thought was either true or important.


Update 21 August 2011

The publicity about this test preview of the OpenLeaks.org submission system, the temporary https://leaks.taz.de website has lead to controversy in Germany. It was used as the excuse to expel Daniel Domscheit-Berg from the Chaos Computer Club.

The real reason for his expulsion seems to be related to a single copy of an encrypted disk, which which Julian Assange was the only person to have the cryptographic keys, but which was in the physical possession of Daniel-Domscheit Berg possession of when he and the other main technical team members left WikiLeaks.org last year.

The main effect on OpenLeaks.org of this expulsion may be to make it impossible for them to make use of the Wau Holland charitable foundation as a conduit for financial contributions, a service which they provide to the WikiLeaks.org project. see

Chaos Computer Club expels Daniel Domscheit-Berg - will this affect OpenLeaks.org finances ?

Update 08 September 2011

Daniel Domscheit-Berg is reported as having now destroyed the encrypted data from WikiLeaks.org, citing the need to protect whistleblower sources, something which WikiLeaks.org still cannot be trusted with.

The propaganda and threats aimed personally at Daniel Domscheit-Berg by WikiLeaks.org fanatics, to somehow blame him for their own security failings and incompetence (WikiLeaks.org leaked their own "crown jewels" leak of unredacted US Diplomatic Cables online through BitTorrent and by stupidly re-using a cryptographic password) may make it difficult or impossible for the OpenLeaks.org project to proceed as planned.

Whistleblower websites need to learn from these personnel and procedural failures - technology is only part of the anonymity / security / trust / publicity / publishing system that such websites aim to achieve.


Contact Details

website: http://www.openleaks.org

http://www.openleaks.org/content/contact.shtml


Press inquiries

   *   email: press@openleaks.org

General inquiries

   *   telephone:   +49 30 57706454 0
   *   fax:         +49 30 57706454 9
   *   email address: contact@openleaks.org
   *   OpenLeaks on Skype: OpenLeaks@skype.com

Postal Address:

None

Social Networking publicity

Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.

Twitter

While we would like to use the twitter account we registered (openleaks), we can not because something is wrong with the account. We tried to recover it through the official process of working together with twitter but were turned down.

FaceBook

None

Blog

None

Financial Donation methods

Methods of accepting payments from the the public and supporters, also come under political and legal pressure, as WikiLeaks.org have learned to their cost:

OpenLeaks.org is currently soliciting money through several payment methods:

https://www.openleaks.org/content/support.shtml

Flattr https://flattr.com/profile/openleaks

PaySafeCard https://www.openleaks.org/content/psc.shtml

Ukash https://www.openleaks.org/content/ukash.shtml

Webmoney https://www.openleaks.org/content/webmoney.shtml

Currently accepting submissions of whistleblower leaks ?

No

Planned Submission system launch date ?

- perhaps after the Chaos Communication Camp in the Summer of 2011

http://events.ccc.de/2010/08/10/chaos-communication-camp-2011/

10|11|12|13|14th August 2011 at Finowfurt (near Berlin), Germany

Leak Submission Encryption

Digital Certificate fingerprints published on their website:

http://www.openleaks.org/content/contact.shtml

   The SSL certificate we use for this website has the following fingerprints:
   * SHA-1: 14:1F:81:F7:A2:F6:01:52:4C:82:B2:94:43:6D:5C:D9:A4:65:22:C5
   * MD5: D9:83:FC:4D:6A:65:F8:2F:85:CA:20:2C:F2:93:3C:A8

The serial of the certificate is 0A:1D:E6.

N.B. these published cryptographic hash fingerprints now do actually match the currently installed Digital Certificate - there have been 2 or 3 Digital Certificate changes between January and May 2011.

This self signed Digital Certificate has been allowed to expire on 18th October 2011, which rather casts doubt on whether the project is still active or not in February 2012.

It is a good idea to publish these on the website, but only if the web page and the installed certificate are actually kept up to date.

Qualsys SSLLabs SSL Server Test rating:

https://www.ssllabs.com/ssldb/analyze.html?d=www.openleaks.org&s=83.223.73.52

Overall rating: F [0]

Certificate: 0

Protocol Support: 85

Key Exchange 80

Cipher Strength: 90

No weak cipher suites or deprecated SSL 2.0 protocol, but because this is a self signed Digital Certificate, some potential users will refuse to trust this website, or their web browser configurations will prevent them from trusting this website.

When OpenLeaks.org launched their website back in January 2011, they did use a commercial Digital Certificate from GlobalSign nv-sa, which they abandoned for some undisclosed reason.

N.B. The DNS entries for OpenLeaks.org have a second A record which points to another IP address:

83.223.73.53 w-4.so36.net

perhaps for resilience or development, but which does not currently have any public Digital Certificate installed.

PGP Public Encryption Key

https://www.openleaks.org/downloads/contact_at_openleaks_org.asc

http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0x21D6A86FB52DC7BA

contact@openleaks.org

PGP ID: 0xB52DC7BA

Created: 18/12/2010

Expires: 17/12/2012

Type: RSA 4096/4096

Cipher: AES 256 bit

PGP Fingerprint: 42CC E8DE 2463 8F46 8D9B 86A3 21D6 A86F B52D C7BA

TOR Hidden Service

None

I2P eepsite

None

Domain Name Resilience

The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which WikiLeaks.org emulators should take note of:

Domain Name Registrar

http://WebNic.cc

Web Commerce Communications Limited dba based in Kualar Lumpur, Malaysia


Multiple Domain Name Service providers, in different legal jurisdictions ?

Yes

ns4.afraid.org

ns1.1984.is

ns0.1984.is

ns2.1984.is

ns2.afraid.org

1984.is is based in Iceland

afraid.org is based in California, USA

OpenLeaks.org is hosted in Germany

Alternate Domain Name aliases

The following alternate domains are currently available:

   * openleaks.org  [83.223.73.53] and  [83.223.73.52] 
   * openleaks.net [83.223.73.52] and  [83.223.73.52]
   * openleaks.rs [83.223.73.52]
   * openleaks.ws [83.223.73.52]

Actual Physical Mirrors of the website:

None

Content available via BitTorrent etc P2P etc.

None

Personal tools