User: Password:
Subscribe / Log in / New account


Martus: Software for human rights groups

October 18, 2011

This article was contributed by Dave Neary

What constitutes a hostile environment for software? For one Martus user in Colombia, it meant being held up at gunpoint one evening after leaving work and being forced to hand over her laptop. Without Martus, doing so may have placed the lives of a large number of people in danger. Thanks to Martus, she could hand over the computer secure in the knowledge that these people were safe.

Martus (from the Greek for "Witness") is a fairly simple program - it records reports of human rights abuses ("bulletins" in Martus terminology), encrypts them, and stores them securely off site. But given the circumstances under which it's used, it is vital that its users have an absolute confidence that it does those things well.

At the recent Open World Forum in Paris, I had the opportunity to talk with Dr. Jeff Klingner of Benetech, the US-based non-profit that wrote Martus. Jeff was speaking in the "Humanitarian Free and Open Source Software" track at the conference. He mentioned that "NGOs [Non-governmental organizations] who use Martus have confidence in the security of our software because it's open source". Because records are stored encrypted by Benetech, "they don't even have to trust us" - something Jeff admitted was a concern for some NGOs around the world.

Security before convenience

Martus is designed for ease of use, but whenever security concerns come into conflict with usability, security wins through. One example: there is no key recovery service. If you lose your private key or forget your passphrase, any data encoded with that key is lost. Benetech has put a lot of effort into educating its users about best security practices - there is an entire chapter of the Martus user guide [PDF] dedicated to safe computing, guarding against malware and handling passwords. Martus also includes an onscreen keyboard for password entry, to help defend against key-sniffer malware.

Martus is written in Java, and licensed under the GPL. It consists of two distinct parts: a server which stores encrypted bulletins, and a client, which provides for data entry, search and encoding of bulletins.

Each Martus user has their own key and passphrase, which is used to encrypt all data they enter into the system. In addition, users may set up a HQ account, so that others who you trust in your organization will be able to see your private data, once you have sent it to the server. Bulletins are also kept encrypted on the local hard drive until they are deleted by the user.

Internally, keypairs are 2048-bit RSA keys that are encrypted with SHA1 and TwoFish using a passphrase. All bulletin data is encrypted with 256-bit AES, and signed using SHA1 digests and the private key. And all client-server communications are transferred using SSL with self-signed certificates. The team have considered using biometrics or physical objects to complement passphrases and private keys, but according to Benetech engineer Kevin Smith, the Martus Technical Lead, "whenever we have researched biometric authentication, we have not been comfortable with the reliability and security, and/or with the impossibility of changing your credentials if they become compromised".

Releasing the software as open source has not been a panacea for the project. Jeff Klingner notes that "we have been asking for a security audit by the open source community for years, but to our knowledge no-one has done one." Just because the project is open source does not mean that people are reading or reviewing the source code. He did mention that he suspected that some governments may have taken a look at the software, but (unsurprisingly) did not share the results of their review.

So what is the basis for Martus's users trusting the software? In the absence of a security review, isn't there a chance of a Haystack-style security flaw? Jeff says:

There's two senses to the term "trust": If you mean trust that we are not deceiving them and have not snuck in a back door through which we, the US govt, or their govt/police could see the data, this trust is based on two things: they usually trust us as partners, and because it is open source. They trust us as partners, because of they way we deal with them, and because of the long history of human rights groups and truth commissions we've worked with successfully.

The second sense of trust is trust that we haven't made a mistake in our implementation that has led to an unintentional security hole. In the absence of an audit, this trust is based on our credentials, and on a clean history, with no known attacks or post-release vulnerabilities discovered to date.

In addition to their track record, Jeff also pointed to the core team members, Kevin Smith and Scott Weikart. Scott in particular "has a totally paranoid approach to security and dreams up security threats that would never have occurred to me. The Martus data servers are locked up tighter than any other Linux security configuration I have ever seen" according to Jeff.

Several other things make Jeff confident that Martus will not see a Haystack-like security vulnerability uncovered. Firstly, Martus is open, while Haystack was not. Secondly, Benetech are very clear what is and is not being protected against - and are frank about their potential failings. According to Jeff, "even though we've been as careful as I think it's possible for people to be, we also understand and openly acknowledge the very real possibility that we've made an important security mistake. This fact comes through in Martus's documentation, and in the way we present Martus to potential users".

Part of the reason for the lack of community traction could be how difficult it is to get hold of the software on Linux. There are no packages available for either RPM or .deb based systems, either for the server or client components. Binary distributions for Windows, Mac, and Linux are available from the project's download page, but there was a server problem when I tried to download the latest version of the client software. Source code is available directly on the project's sourceforge page, but I have not been able to find the project developers' mailing list. The project could definitely provide a better experience for developers, and if they do, there are a lot of easy ways for people to help, including packaging, translations, and security review.

Social coding for good

In addition to Martus, Benetech also runs a number of other projects in the areas of human rights, literacy, and environmental protection. To attract new contributors to these and other humanitarian software projects, the company recently launched a new initiative, Social Coding 4 Good, to increase awareness of these projects and to put potential contributors in contact with projects that can use their help. Jeff mentioned that he believed that a lot of young programmers would like to give time to a project which is both technically challenging and provides some social benefit - Social Coding 4 Good aims to fill that gap, in a way similar to what HFOSS does for academic programs.

More and more, people are interested in working on "stuff that matters", to use a phrase made famous by Tim O'Reilly. Projects like Martus, that can make a real difference during times of political turmoil in some of the most troubled regions of the world, offer an opportunity to do something that matters. If you want to help with the project, report a security bug or propose packaging the software for your Linux distribution, you can contact the project at info at

Comments (5 posted)

Brief items

Quotes of the week

I'm significantly happier with the ideas in PEP 3150 now that I've reframed them in my own head as: "You know that magic fairy dust we already use inside the interpreter to support out of order execution for decorators, comprehensions and generator expressions? Let's give that a syntax and let people create their own declarative APIs"
-- Nick Coghlan

The FSF would welcome a legal requirement to make all software free but does not advocate one now. It would be too drastic a change for the current situation.
-- Richard Stallman

I'm not advocating breaking other apps for "no good reason", but moving faster and making bigger strides in Gecko and Firefox development is "good reason". These are the big levers the Mozilla project has in advancing the Mozilla Mission. They will become less effective over time if we do not move faster and smarter with both of them.
-- Asa Dotzler

Comments (7 posted)

Apache Cassandra 1.0

Version 1.0 of the Apache Cassandra distributed key-value data store is out. New features include on-disk compression, better memory management, and a lot of performance improvements.

Comments (none posted)

IcedTea 2.0 and security fixes

IcedTea 2.0 has been released. "This release is the first release of IcedTea based on OpenJDK7 since it was released for general availability. It includes all changes from the public OpenJDK7 tree, together with the latest security fixes and a number of IcedTea enhancements." For those running older versions of IcedTea, versions 1.8.10, 1.9.10, and 1.10.4 are available with several security fixes.

Full Story (comments: none)

Announcements from the LibreOffice conference

The Document Foundation has sent out an email that highlights some of the announcements from the LibreOffice conference, which is being held in Paris October 12-15. Two of those are "advanced development projects" that will become available in 2012 or 2013: LibreOffice Online and ports of the office suite to Android and iOS. In addition: "500.000 desktops, mostly Windows, at several French Government entities switching from OpenOffice to LibreOffice (this increases the Windows installed base of LibreOffice by 5% in a single move)."

Full Story (comments: 22)

Samba-VirusFilter 0.1.0 released

Samba-VirusFilter is a new project to integrate various malware scanners with the Samba server. Version 0.1.0 is out with support for ClamAV, F-Secure, and Sophos scanners.

Full Story (comments: none)

The STEED project launches

STEED is a project to create "usable end-to-end encryption" using GnuPG. It features automatic key generation and distribution and a "trust on first contact" trust model. More information can be found in this white paper [PDF].

Full Story (comments: none)

SyncEvolution 1.2 released

Version 1.2 of SyncEvolution, a personal information management and synchronization application, is out. The headline feature appears to be support for the CalDAV and CardDAV protocols, with ActiveSync support in the works for the 1.3 release. Support for Akonadi and KWallet has also been added.

Full Story (comments: none)

xpra released

From the Xpra web site: "Xpra is 'screen for X': it allows you to run X programs, usually on a remote host, direct their display to your local machine, and then to disconnect from these programs and reconnect from the same or another machine, without losing any state." The release adds a number of significant performance improvements, forwarding of system notifications, and more.

Full Story (comments: none)

Newsletters and articles

Development newsletters from the last week

Comments (none posted)

Lopez: The next million apps

On his blog, Xan Lopez looks at the GNOME app story and comes to a familiar conclusion: "Why is this relevant for GNOME? Never mind iOS, never mind Android, one thing is clear: most of the next million apps written will be web applications. Some huge players like Microsoft are already moving there as fast as they can, and the rest will follow sooner or later. Native apps won't go anywhere for a long time, but developers willing to maximize their reach will, increasingly, prefer web applications over anything else. At least as their first choice. This brings us a great opportunity. If we jump on this bandwagon, support web applications as first class citizens on top of world-class runtimes, and accept and even encourage people to run their web apps on our operating system we can maximize our reach with a fraction of the effort of fighting in the native SDK war against Apple and Google."

Comments (35 posted)

Poettering: [Google code search is] A Big Loss

Lennart Poettering covers a Google announcement that Google Code Search will shut down in January. "I think it must be of genuine interest to the Free Software community to have a capable replacement for Google Code Search, for the day it is turned off. In fact, it probably should be something the various foundations which promote Free Software should be looking into, like the FSF or the Linux Foundation. There are very few better ways to get Free Software into the heads and minds of engineers than by examples -- examples consisting of real life code they can find with a source code search engine. I believe a source code search engine is probably among the best vehicles to promote Free Software towards engineers. In particular if it itself was Free Software (in contrast to Google Code Search)." (Thanks to Paul Wise)

Comments (26 posted)

Schumacher: Fifteen years of KDE

Cornelius Schumacher reflects on 15 years of KDE on his blog as well as looking to the future for the KDE "desktop" (which is moving well beyond the traditional desktop these days). "Fifteen years ago Matthias Ettrich started the KDE community. On 14th October 1996 he wrote his famous email to the de.comp.os.linux.misc group on Usenet. He called for other programmers to join him to create a free desktop environment for Linux targeted at end users. Many, many people joined. Thousands of developers wrote millions lines of code. We did 90 stable releases of our core set of applications alone, not counting all additional stuff and the thousands of 3rd party applications."

Comments (2 posted)

Page editor: Jonathan Corbet
Next page: Announcements>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds