 Hello and good evening to this talk tonight in English. Lorax and Theo are presenting you about how they create and run the own secure leaking platform that actually works. I'm very interested in what they will present us. And I wish you a nice evening with the two of them. Hello, welcome to our talk, Making Leaks Flow on a Budget. I'd like to introduce myself. What's that? Introduce yourself. Hi, I'm Lorax. I'm a writer, journalist, editor at Distributed Denial Secrets. d.secrets.com. My name is Theo and I'm a privacy engineer. So this is a talk for those of us who care about making the leaks, continuing to flow, telling the truth, even if it makes the sky fall, even if it sets the world on fire. So let's begin with a little context where you think this is an important subject to talk about here. And I'm going to start with a little history lesson. So once upon a time, there was this website called WikiLeaks and things were good, leaks got published. Some had quite a revolutionary impact at the time. Then in 2019, some guy gets arrested, blah, blah, blah. Everybody here already knows the story. But let's talk about the current state of WikiLeaks. So if you go to WikiLeaks.org right now, you will see that the last thing they published was the Intolerance Network in August 2021, which was a dataset from Spanish Red Wing Catholic organizations, but this was actually an old dataset that was already out there since at least 2017. You could actually find the unredacted version of this dataset elsewhere when WikiLeaks published on the unredacted version in 2021. And if you actually try to view this data on WikiLeaks.org, your browser will prompt you to log in, so it's not even available from WikiLeaks anymore. So the last original release from WikiLeaks was the first short fails in November 2019, so almost four years ago at this point. And as for the overall state of WikiLeaks.org, the website has been slowly falling apart for the last two years, going to search that WikiLeaks.org gives you a 403 forbidden error, making many valuable datasets like the hacking team emails no longer searchable. If you wanted to mirror yourself the past WikiLeaks releases using the tarnestly publish, mirrors that WikiLeaks.org is also down with a 502 by gateway this time. And if you try to make a submission to WikiLeaks since the end of 2021 for the month of 2022, you would get an onion site, not found error. The error page is telling us to contact the onion site administrator. If we go to talk to WikiLeaks at WikiLeaks.org slash talk, the page is currently being rebuilt and it has been this way for quite some time. So while preparing this talk, I actually found that WikiLeaks is a new submission portal that actually sort of seems to work. Although if you try pushing any data through this form in the past four years, you would find it about as effective as piping the data into no response, no publishing. But meanwhile, the donation portal, at least we still be working with the Wahon Foundation still processing donations and we have WikiLeaks. There is only managed to raise $52 million through the sale of an NFT for Asanji's defense. So here is an easy way to make $52 million. Anyway, the money was supposed to be managed by the centralized autonomous organization which bought the artwork. But all of the voting power was quickly transferred to Asanji's brother with the Wahon Foundation task of converting it from the internet monopoly money. If you watch the transparency report that they've given at Easter Egg this year, you would find out that they decided to pay themselves up to 85 euros an hour for managing this fund. And from the confidential and the internal documents which you can see on the screen behind me right now, we know that they've been having quite a bit of trouble finding a crypto exchange willing to work with them. But eventually they managed to find one in Switzerland. Most of their assets are still stuck in EFA and you can view the documents at this URL. Yeah, if you're interested. Anyway, I guess defining an international extradition case takes a lot of money and resources, too much to also keep our website up at the same time, even when you have $52 million. And well, personally, I don't believe anybody deserves to be in prison. Let's get back to our main topic because this is a talk for people who care about making the leaks. So since 2019, there has been this other group called distributed denial of secrets. There has been quite successful publishing leaks and keeping them online. Since it's exception, they archive approximately 100 terabytes of data just from some of the most recent releases. We have six terabytes of email from Mexican Department of Defense. Hundreds of news stories generated by this leak alone. Internal documents from the Russian censorship machine, Roscoe Lanzar, the TSA in off-line list, the American College of Pediatricians, a US-American right-wing anti-trans, anti-LGBTQ, an anti-abortion K group. And also, the latest part of Wikileaks's last release, official files, that just came out. Now I distributed denial of secrets. What recently, they've been having some financial trouble. They're basically running out of money and might have to stop publishing new data soon. So if you have too much money burning, how many pockets I would highly encourage you to go to this website and throw some money to deal with the secrets of the charity. Otherwise, the next leaking publishing platform could have to be you. And initially, when I was planning to do this talk, I was going to do like a technical overview of how to set up media wiki, how to register the main name, but I was expecting a technical audience here. So instead, I'm going to hand over to my friend Lorax to talk more about how to establish the relationship with journalists as a new leaking organization. Thank you. Yeah, so when we started distributed denial of secrets, I was on the advisory board in 2018 and 2019 became more full-time. And the idea was never to be the only leaks site on the internet. I come from a background in journalism. Competition is good. It's nice to have someone else in the space to keep you honest. And we thought of ourselves as providing competition and we would also love for newer ideas and newer platforms to come along. What Theo was saying is true. We are very shoestring. We may run out of money. We may not be around forever. So I wanted to talk a little bit about how I see the work, hopefully to encourage others to take it on. It's not that hard to talk to journalists. It is daunting. They do have a lot of questions. I come from a background in journalism. I went to journalism school. Most of my career has been in journalism. I've worked in newsrooms in Ecuador, Canada. I've worked as a freelancer most of the time. Journalists really don't like to be told that they don't know something. Publishing leaks. You are often knocking on their door and offering them a big chunk of knowledge that they don't already have. So they are sometimes apprehensive to take it on. Things that I think are important for the work. You don't have to call yourself a journalism organization but it does help. You can publish leaks as an art collective or as an academic group. There are different ethical considerations for different industries. So just learn as much as possible about the label that you want to apply to yourself if you are publishing journalistically. Read a lot of ethics of journalism books. Read the New York Times style guide latest edition. It will teach you how they think and what they look for when journalists are considering sources and source materials and conversations with other journalism entities. So another thing that I think is important is to set up redundancies in your organization. I liked that DDoS Secrets was a collective from the start. We had a lot of people who could veto each other and could argue and disagree. This also creates redundancies. So if one note is taken offline, there are other people who can pick up the slack. I think that that's important for having a longevity and longevity is something that journalists will look for if they're gonna use your archive of leaks. They don't want to include a link in their story that's gonna be dead next year. So try to make yourself as versatile and redundant and just long-living as possible because this inspires confidence in the media when you wanna work with them and provide them data. Da-da-da. Yeah, another thing to keep in mind about journalists is that they're very competitive with each other. You can sometimes use this to your advantage if one journalist isn't collaborative or isn't helpful to your cause, go to their direct competition and talk to them and form a better relationship with them. This will make the other journalists get some FOMO and maybe start to work with you. But it's also just good to keep competition active in the space. There's more and more journalism networks forming up. There's new ones all the time. They all have slightly different philosophies and you can learn about the differences between them by starting to work with them, thinking of the ICIJ, the OCCRP, Organized Crime and Corruption Reporting Project. The ICIJ is the International Consortium of Investigative Journalists. There's one in Europe called the European Investigative Collaborations. They all have slightly different policies and internal rules and yeah, you can go to one and the other. When we were starting out distributed denial of secrets, there was a source who went first to the ICIJ and then to, sorry, his other way around, went to the EIC and then the ICIJ with different data sets, sort of burned bridges at both and yeah, distributed denial of secrets I think creates a bit of a safety mechanism for sources to prevent them from making some of these mistakes that journalists that turn them off working with leaks. How are we doing for time? Should we take questions? We've got 10 minutes left. So just what Larak's was talking, I was a bit busy on my laptop as you could see in the background and I managed to package up a leak. Just to sort of prove that the technical bit is really easy and like most of us could do it it's just that nobody wants to put themselves in these shoes. We should support the people who try to do it. And like, so here we have a torrent for a release that was originally published on the blog of the ransomware group play and it's a surveillance and biometrics vendor for the Swiss and German police. There are some interesting documents in there. For example, a trial of a smart border control system at the Frankfurt International Airport reports about that. So just in the span of 12 minutes I was able to do what Wikileaks hasn't been able to do in the last four years. Yeah, for those who are unfamiliar with like ransomware groups, there are a lot of them and a few years ago part of the tactics that they've taken on has been to publish their own leak sites on the Tor Network. So Dita Secrets started archiving certain leaks that were more newsworthy from ransomware blogs. At this point, there's just so many that we don't download everything that's new on a ransomware blog. We wait for a request to come in because otherwise we'd be downloading terabytes over Tor all day, every day. So this one sort of falls into one of our other categories of interest which is data from police. This isn't on Dita Secrets yet because we just did it like for the talk but maybe someday. It is on the play ransomware blog but there's now a torrent, so have at it. Start your own leak site. Can't be fun. I guess we can take questions now. And I'm sure there are some questions, yes. This is more for like a technical question. It would be, you say it's really easy. Do you have like some documentation of how you run Dita Secrets? Anywhere? Like if someone else wants to spin it up, then who's there? Dita Secrets is a media wiki website and we publish public data sets via torrent. So for packaging torrents and making sure that they have small enough parts that people can download them, there are tutorials out there. The other thing that Dita Secrets does is we run some search engines. We run Aleph, which is a free software by the organized crime and corruption reporting project. It has docs.aleph.occrp or docs.aleph.occrp or something like that. But it's pretty useful. A lot of groups run an Aleph instance to help search leaks. Ours is currently locked to users, logged in users. We used to have a public Aleph, but it was too expensive to run and it attracted a lot of negative attention. So now our copy of Aleph called hunter.ditasecrets.com is for requesters. Yeah, another thing that we do is we have like a public category of leaks and then we also have a less public collection that's available upon request. We use this less public category to store datasets with a lot of PII in them so that we're not mass publishing people's private information because this also attracts negative legal attention. But yeah, there isn't a tutorial written about how to do that. It's sort of, it's an editorial policy and other groups may have different editorial policies. And people might argue. In fact, people do argue a lot with our decisions about what we put in the limited distribution category and what we put in public. But yeah, we're a really small group so we do our best to learn what we can. Publishing leaks about certain entities has proven to be dangerous for all included people multiple times for sources as well as editors or journalists and even the technical staff of some sites. What are the risks I put myself in when hosting a new leak site? How fast do these risks become relevant to me and how could I avoid some of these risks or mitigate them? For us, what has worked has been having like a global network of members and advisors and we have journalists, we have technical staff, we have academics, we have volunteers who are none of the above, but they have large archiving capacities and so there's, as I was talking about redundancies that discourage like, yeah, law enforcement from encouraging like strice and effect. We have had some attempts to censor us, quite a few, but as long as you keep publishing then more people will find you and the act of publishing sort of protects you in the long run. It teaches also the entities that would try to censor you what your values are and who your allies are. We've been adding supporters over the years as we continue to exist and more people find use in the archive. These sorts of voices are valuable when your data goes into a research paper or like a huge ICIJ investigation. Law enforcement sort of backs off because they don't want the negative attention. Definitely like journalists have varying levels of comfort of working with leaks and you can realize pretty quickly like who's going to be an ally and who's going to be a problem. Yeah, do you have anything to add? I think it's also easier to be anonymous on the internet than ever before. Like we have funny internet money that lets you pay for things without using a real identity. So if you wanna do this, you don't even have to necessarily show your real face. Yeah, there is a new leaks site called inlasehaktivista.org that's all anonymous editors and volunteers and they've been publishing leaks for a few years. It was sort of related to like, how would you deal with takedown requests and other legal requests to just straight up throw them in the bin or is there a more complicated process? Can you repeat that? How you would deal with takedown and other legal requests, what do you throw them in the bin? Yeah, you have to have a good host that throws them in the bin but lets you know that this happened. We've had, we've changed hosts a few times. There are, you had a site at one point that was like privacy friendly web hosts but they're pretty easy to figure out. FlokiNet is great. Greenhost is useful. There's more and more every day. You have to study your jurisdictions, figure out which ones are more likely to notify you. If you do get a takedown request, we were sued in Russia, never found out about it. Our domain is now blocked in Russia. We decided not to appeal because we figured our website was probably illegal in Russia. Our logo is a pride flag. So not much worth arguing with in the courts there but yeah, does that answer your question? Next. So I know that a lot of journalists are a bit not so happy working with leaked data or they just lack the technical capabilities to do so. How can you make it easier for journalists to work with the data and maybe where is the line between making it easier for them to work with the data and tampering with the data? And like throwing away maybe interesting things. And also how do you select the journalists to approach? Okay, so the journalists really like to have exclusives and the way that we approach this philosophy, I mean, some newsrooms are more old fashioned than others and request data sets that they wouldn't have exclusive access to. A lot of newsrooms have shrinking budgets for investigations they don't like to invest three months of research time into a data set if they think that the story that they're going to publish by the end of it would come out before they're done working with the data set. I do think that attitudes are changing and that newsrooms are becoming more willing to work with data that other newsrooms have. In Germany maybe that's not the case but internationally I know of more and more newsrooms that will work with a data set even if another newsroom has it. And how to select journalists to give maybe embargo or like early access to? We have some parameters that we look for in the outlets we really like working with outlets that don't have paywalls because a lot of our readers wouldn't be able to access stories that are behind a paywall. You can also look for other impact that a newsroom would have to determine whether you will work with that outlet or with that journalist. It's not always like the newsroom that's useful. It's sometimes just one reporter in a newsroom who is able to push stories through and convince editors that they're worthwhile. There is value to walking journalists through a data set a little bit and telling them what's in there, like what dates it covers or which, yeah, basically which time period it covers and what the keywords might be that they could throw at it. We don't do a lot of pre-processing of the data sets. We have this limited distribution category because we like for the partner organizations to do more of the work themselves, journalists really don't like to be told what to do, and yeah, they like to find things for themselves a lot of the time, so it's a balance to find that middle ground where you're helping them to get into a data set but you're not directing them to what the story is. So yeah, that's the end of this very interesting talk for today. Maybe you might be able to reach out to them afterwards. Thank you very much for the insights and also thank you very much for your work, and have a nice evening. Thanks everyone.