Spain's Xnet: leak-publishing corruption-fighters

Originally published at: https://boingboing.net/2014/12/15/spains-xnet-leak-publishing.html

1 Like

This is an inspiring action but I’m afraid it has important issues. Their leak method consists in using a openmailbox.org account and Tor browser, leaving PGP crypto as optional.

This is big flaw and nobody should leak using this system. It’s insecure by design, leaving crypto as optional and trusting third party systems, and it doesn’t provide perfect forward privacy. You can be screwed in the future, given how surveillance programmes have been working. Also, any government can set up malicious Tor nodes.

Edit: I realized they used OpenPGP.js to generate their key. They could have used GNUPG instead, but they lack the technical skills to understand that Javascript crypto can lead to be compromised: http://matasano.com/articles/javascript-cryptography/

1 Like

My second thought [1] was that this would make a great basis for a movie [2]. I don’t see any reason to change much of anything aside from the actualy case details – keep the activists, the mechanisms, the Spanish law [3].

[1] The first was that there is so much that the new Spain is doing right. Bravo!
[2] Does anyone here know a writer? </wink>
[3] I can think of a few people (some named Brown, some named Garner, lots of others) who would love the Spanish right of private action in cases of corruption.

2 Likes

Hi @tranxparencia. The Xmailbox [BuzónX] works at many levels with regard to the protection of the source. First of all and most important, the only people who acces the Xmailbox are jornalists and layers, they are the only one who can legaly remind silent in case a judge ask them to give the name of the leaker [legal confidentiality].
From the technical point of view, even thought the ideal we would to use always PGP encryption, it requires technical skills that not everyone has. For that reason it was chosen to use TOR borwser + Openmailbox sufficently safe tool and readily employable by anyone, whatever their technical knowledge is. A government could set up a malicious Tor node thougt it is practically impossible to identify the leakers doing so.It might be possible if the communications were always from A to B, but not coming from that many different sources [I suposse it is clear at this point I’m invloved in the project and I can tell we have read about it ; ) ].
On the other hand, every case is different. Sometimes the info sent to the Xmailbox is publicly available, or it is clear that the leaker is the only one with acces to the info, or in fact the source have already taken the case to the courts. Often in this kind of situations the source is suffering form mobbing, and it is actually preferably to protect them by publishing their identity in the media and make evident the mobbing.
Finally, we strongly encourage the use of PGP and train the source to do so, in case the comunnications must be frecuent.

Regards and keep fighting : )

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.