|
||||
|
February 21, 2022 wholeaked - a new open source program to catch whistle blowers
|
From: no data Date: Mon, 21 Feb 2022 04:52:54 -0800 Subject: [cryptome] wholeaked - a new open source program to catch whistle blowers To: cryptome@freelists.org this post is an attempt to get this list back to the roots of what cryptome is based on: leaked files. I attempt to share an interesting coder, the coders shared work in his github and what is his most interesting creation yet called wholeaked in hopes of drumming up interesting discussions on leakers and related software, and hopefully we can leave behind some of the insane and inane discussions of recent history on this list. Ill first go over his github and the various projects he created and the skills/languages he used to create the tools and then go onto wholeaked, what it does, a brief explanation on how it does what it does, its uses, its shortfalls and why its an interesting and important addition to those who are for and/or against leaks and/or leakers (it helps and works against both leakers and anti-leakers both). Lets begin. the original Developer of this code quote about the project he named "wholeaked": "a file-sharing tool that allows you to find the responsible person in case of a leakage" The github project page has 19 forks, uses the BSD-3-Clause License and was created on January 26th, 2022 appears to be made by a talented hacker named Utku Sen who's written other pro-privacy and published them on github such as his "house party" emergency data locker tool that encrypts every file in your home directory via remote command in an attempt to block a thief's access to your documents, as well as several anti-ransomware tools that detect when encrypting of files has begun and stops the process and warns you as soon as it sees it happening. A re-write of the program was done to have the code available in python. His other open source tools include: -several DoS tools, -a url-shortener reversal tool, -a fork of "empire" windows exploit toolkit for automated pwning of windows domain controllers, -an IRC based botnet/bot tool, -a second fork of Empire with modifications to timing and order of loading is functions for IDS evasion, -a stresstester -a program called jeopardize; a threat intelligence&response tool against phishing domains -and a mass-security-auditing toolkit -a blackjack analyzer -other interesting hack tools. The languages he uses to create these tools spans across various major languages from C to python to visual basic to c# and finally Go. His repos can be found here: https://github.com/utkusen?tab=repositories While the method this program uses is not brand new the program itself is and it is more than a simple single functioning binary with only one function..., it crosses platforms to every major 64 bit OS (linux x64, macOSX x64and windows x64) which makes this program all the more versatile to use Classification of program type: The program might be whats known as a type of "traitor tracing" software (see here: https://en.wikipedia.org/wiki/Traitor_tracing ) ..and uses a canary trap to finger the leaker (see here: https://en.wikipedia.org/wiki/Canary_trap ).. ..... some might be offended by such strong labels such as 'traitor' to describe this software, as the word "traitor" could be replaced with "brave unwavering ethical bar-setting/bar-raising whistleblower hero" and the functionality of the software would be the exact same even if the intent is different. ...., the program helps you keep track of everyone who gets a copy of the file that you suspect will be leaked (or you might do this as a form of anti-copying enforcement in hopes of distributing the book with consequences of getting fired from their job, fined or imprisoned. Each copy that gets sent out gets its own unique invisible watermark which is essentially just metadata that ties that particular copy to the email address (or person) who you sent it too. When the file or files get leaked (or if it gets leaked) then you can check the metadata in the copy of the now public file and see which person the watermarks show that it was tied to, and then you've just found your leaker. Here are the several ways you are able to tag the file (copied directly from the github here: https://github.com/utkusen/wholeaked ) "wholeaked can add the unique signature to different sections of a file. Available detection modes are given below: File Hash: SHA256 hash of the file. All file types are supported. Binary: The signature is directly added to the binary. Almost all file types are supported. Metadata: The signature is added to a metadata section of a file. Supported file types: PDF, DOCX, XLSX, PPTX, MOV, JPG, PNG, GIF, EPS, AI, PSD Watermark: An invisible signature is inserted into the text. Only PDF files are supported." A note of caution: Of course this tool will only reveal the most inexperienced and/or over confident of leakers, as anyone with half a brain will realize, 19th attempt to strip all metadata from the file before leaking, if not altogether re-creating the document with screenshotting each page of data one at a time with something like the good old printscreen button and pasting and saving in ms paint or something similar, One should consider using a brand new VM that was spun up for this single purpose or a live linux distro like ubuntu live or tails will also work (those who work in digital forensics are much better to discuss this part of the topic!) This is but one way to by-pass someone using a unique-injection-of-watermark-per-file leak-detection technique (try saying that 5x fast!). among other methods, The _actual_ common term of this technique is called the canary trap for the laymen, It is actually used in many different contexts that are much different than someone breaching national security with PDF files or whatever, like for example, some AV programs use canary files that are placed in your documents folder and if the AV detects that they are no longer accessible (yet still remain in your documents folder) or if they appear to be modified, then the AV might cause all processes to stop and block any processes from writing to disk until the user either lets the processes continue after confirming that it was not ransomware that modified, encrypted or changed the file. Wholeaked is essentially making every distributed file its own unique identifiable canary. If that canary is ever found anywhere by being leaked, then at the very least you will know who was responsible for the file becoming public (if it was their intent on spreading the file to the public or not!). What makes this one note-worthy is that it is now trivial to do it easily without the need to understand concepts like unique watermarking and metadata or how to add them correctly. Also that it is open source with compiled binaries for windows, OSX and linux (you can find the project, binaries and source code on github here: https://github.com/utkusen/wholeaked/releases/tag/v0.1.0 ) Its a reminder to those who are experienced in leaking to stay vigilant , less they be exposed (and in some states/places this could mean death or worse to you and your family). Its also a wakeup call for those who leak who dont know what they are doing , and might mean lost jobs, legal action, imprisonment and possibly a lot more if they don't smarten up about their opsec. On the other hand, it could also mean the capture of those who are leaking classified documents to rogue states who routinely deny mountains of evidence of human rights abuses (im looking at you China) for money, in which case, it would be a good thing exposing those who give aid to powerful unethical monsors. No matter the use case, the tool is now in the hands of everyone and anyone is free to add and change it for their own uses and publish their own versions as a fork if they like. To end this post which has gone on far too long, here is the creators home page: https://utkusen.com/ kudos you, Utkusen! |