Stay networked. Get informed. Broadcast your projects.
Dear, I share this information sent to me from a group of the OAS; I hope to serve the group and the translation is correct. Greetings.
THE LARGEST IN HISTORY FILTRATION OF JOURNALISM
Filter 2.6 TB of data onto the cloud safely available to 400 journalists, it was an unprecedented challenge. To make it even more complex was used only open source software. This is the story.
By Thomas Fox-Brewster
It was an epic achievement. Anyone who has been responsible for obtaining the Panama Papers specialist tax evasion and offshore companies Mossack Fonseca leaked a staggering 11 million documents and 2.6 terabytes of data, the largest intrusion of all time. Previous megafiltraciones were in the range of gigabytes: Wikileaks Cablegate was 1.7 GB; Ashley Madison, about 30 GB; Sony Pictures, an estimated 230 GB.
On April 1, Mossack Fonseca sent a letter to its customers that let them see what was happening, and forward them what would happen to the outcome of this investigation. On the reactions of customers, Ramon Fonseca, senior partner of the firm, told Forbes Latam that various answers were given, but in several cases there was "a lot of understanding."
"We are already in full knowledge [of the vulnerabilities] and close the gap," Fonseca told Forbes Latam. The information obtained for investigative journalism was the result of "a limited hacking" he said.
The logistics of the operation journalistic documents behind Panama was equally amazing: a year of exchange of information on open source software from over 100 publications, from The Guardian to the BBC and 400 journalists.
All emails, files and images Mossack Fonseca had to be stored in encrypted units that later were moved safely to the cloud to prevent stories were leaked prematurely or seen by someone outside the group. At the same time they should be able to continue to be used by both technical and non-technical journalists.
And after the concerted effort concrete stories begin to emerge:
A close friend Putin cellist who injected large amounts of money to their accounts abroad through foreign entities ended up financing a ski resort, where he married the daughter of the Russian leader. Prime Minister of Iceland did not reveal that his wife owned an offshore company that had a stake in bankrupt banks. And the father of Prime Minister of the United Kingdom, David Cameron, ran an offshore company to avoid paying tax. And there are more to come.
Where are all those data currently stored? Amazon cloud in a data center accessible to anyone who knows the URL and count with a password. The journey of these files, of the leaks to the revelations, is an amazing example of developers and journalists working together to keep out the snitches and make the information that work is safe and, perhaps as importantly, you can It is used by all parties. Just to put an extra ingredient of complexity: the entire process was performed using open source technology.
A message filtering customers indicate that all started with a typical hack, one preventable. In a letter dated April 1 and published on the Wikileaks Twitter account, the company told clients that investigating a break-in your e-mail server. Mossack Fonseca did not respond to repeated requests for comment on the incident, but Ramón Fonseca reiterated to Reuters that the outbreak had been "limited" and denounced an "international campaign against privacy," despite the significant amount of data that had been extracted of the organization.
Mossack Fonseca is currently in the spotlight, and is mocked for their poor safety practices, as well as heavy criticism for facilitating the widespread tax evasion, even when they were involved proceeds of crime elements. Your emails were not encrypted, as encryption expert Christopher Soghoian, while their websites were full of potential vulnerabilities; practically they demanded the incursion of any hacker willing.
Forbes found that the firm used on its main site a version of WordPress which was released three months ago, which it is known, contains some vulnerabilities, but more worrying that the portal used by customers to access sensitive data run on Drupal 7.23, a released version three years ago. This platform has at least 25 known vulnerabilities at the time of this writing, two of which may have been used by a hacker to upload your own code to the server and start vacuuming databases. In 2014, Drupal warned of a series of attacks on websites based on your code, and told users that anyone run any version below 7.32 after seven hours of its release should assume that had been hacked .
This critical vulnerability was open for more than two and a half years at the site of Mossack Fonseca. It remains valid for hackers to obtain more data from the company and its customers route. On its site, the company says that "information has never been safer than in the Customer Portal sure Mossack Fonseca". That statement now looks somewhat wrong.
Whatever the vulnerability exploited by the hacker, at least for a year, the company has not realized the emergence, or not issued a public alert. After the intruder stole information and moved to their own servers, made initial contact with Bastian Obermayer, a journalist for Süddeutsche Zeitung (SZ), through an encrypted chat. The communication path may have been a Jabber client, or Android or iPhone applications as Telegram or Wickr.
The leaker, using the name John Doe, made clear how they would communicate from that point forward. "There are a couple of conditions. My life is in danger. We will talk only through encrypted channels. There will be no meeting ever. "
Shortly thereafter, the data began to arrive, but not all at once. SZ coordinated with the International Consortium of Investigative Journalists (ICIJ) to handle huge volumes of data flowing incrementally. At the first meeting they had to decide what to do with 1 TB.
They were held similar meetings until the papers added 2.6 TB. According to Mar Cabra, head of the Unit Data and Research ICIJ, files and aftershocks were distributed by various encrypted hard drives, using the VeraCrypt software to protect information. (Obermayer told me that he also used that tool on your PC to manipulate the Panama Papers.)
VeraCrypt is a thriving open source software that many see as a safer version of TrueCrypt, which was once widely used. VeraCrypt was designed by French cryptographers in IDRIX; the beta version was released in 2013 for Apple OS X, Microsoft Windows and Linux. As TrueCrypt developers declared that no longer would support its product, creating IDRIX it became one of the few successors who gained immediate popularity.
Mounir Idrassi, the leading developer of VeraCrypt, told Forbes, through an encrypted email, which arranged many software vulnerabilities discovered in TrueCrypt and using stronger algorithms. Idrassi said that "it is virtually impossible to decipher an encrypted volume with VeraCrypt".
The role of "hidden volumes" allows users to unlock the visible and less sensitive part of VeraCrypt with a password, while another is used to hide sensitive information. "It is technically impossible to prove whether there is a hidden volume" Idrassi said. This mechanism is important for plausible deniability; a journalist under pressure could deliver the first password if pressed, but not reveal the second, used to access valuable data.
But VeraCrypt not yet been tested. It has not been audited by independent hackers, as if it was TrueCrypt, which also was still considered safe after the company stopped providing support for the platform. According to Steve Lord a white hat hacker in the British company Mandalorian, the service is not enough by itself to protect files. "There needs to be associated processes to manipulation and communication of information securely, and connect to the internet I would avoid any system containing the raw data of the Panama Papers, if possible. There are a lot of people who want that data, "Lord said.
According to Goat, however, using only involved a problem VeraCrypt: a disk is corrupted when the initial batch of data was migrated. The team simply had to restart the process. As far as she's concerned, there has been some indication that these leaks were filtered again.
His arrival at Amazon
Goat was not afraid to store information on the Internet. For it to be accessible to more than 400 journalists, Cabra said the files were uploaded to Amazon, a long process, but not as slow as the orderly search data formats.
All software used was open source, tailored to the needs of reporters. The search tool, which allows journalists to hunt for names like Putin or places like the British Virgin Islands, is based on Solr Apache, used by a large number of organizations specializing in searches, including DuckDuckGo, a focused tool in privacy. Solr was combined with Tika Apache indexing software that can analyze different types of files, whether PDFs or emails, as in Panama Papers, filtering text data that are not essential. In the upper layers interface was developed using Blackligth, another open source development.
Once the platform, more than 400 journalists, who would meet in person at events organized by SZ and the ICIJ throughout 2015 and 2016, only need the link and password randomly generated to start poking around in documents for clues.
Beyond security against brute force guessing usernames and passwords, there was no other access protection, though anyone who will contact the site would through lines encrypted using the SSL protocol, as do the cryptographically protected websites, from Facebook to online banking.
To understand what they were seeing, journalists could use the integrated data display, running on a mixture of database technology with graphical data Neo4j Linkurious, which made the job of making connections between files easier.
A separate site, a "virtual pressroom" as he called Cabra, included extra protection: the two-factor authentication by Google Authenticator, which offered an additional code that could be used once to enter and then enter the password.
In that space, reporters could update his colleagues with his latest ideas on articles or reports, all delivered through a similar timeline of Facebook stream, although they could also use the chat feature to facilitate collaboration. Again, the social network was developed on open source software Oxwall. (ICIJ also creates some of its own open source tools. His most recent contribution to Github is a command line tool for content analysis.)
Some reporters, including those in SZ, also used Nuix, a proprietary tool often used by law enforcement and audit firms to uncover evidence in data repositories. The CEO of the company based in Sydney, Eddie Sheehy, said that although 2.6 TB is much software your organization has already helped search databases between 300 and 400 TB of information. Its customers include the US Secret Service, the Office of Homeland Security, the European Commission and the Ministry of Interior. Nuix was associated with ICIJ during the past five years. "We decompose the data into its smaller parts and began to tell stories about them either IP addresses, phone numbers, company names," Sheehy said.
The value of cryptography
All this, said Mar, was designed to use cryptography usable form, something that all organizations, including Mossack Fonseca, could beneficiariarse. "Journalists are increasingly accustomed to using encryption and is becoming less and less complicated."
In other words, Sea just might have helped coordinate the project's most important open source ever seen.
And he did it at a time when the FBI and various governments try to install backdoors in major consumer products, especially Apple's iPhone. Thus, Panama Papers show how important encryption to reveal stories of corruption are undoubtedly of public interest.
"We are proud to know that VeraCrypt was useful to make such disclosures, especially in the current political climate in which the use of encryption is reviled in virtually all media," said Idrassi, who did not know that his creation would have been used in the project of the Panama Papers. "It is important to take this opportunity to educate the masses and politicians alike, let them know that encryption is not only used for bad things, it is critical for journalists, human rights activists and other dissidents living under regimes repressive. "