# Corroborator board: https://trello.com/b/JqhKjyKP/general [Competition rules here](https://www.challenge.gov/assets/document-library/3.2_TechtoProtectChallenge_Program-Rules.FINAL.4.1.19.pdf) - pg. 59 cyber req. - The app adheres to the subset of the [NIAP Protection Profile for Application Software](https://www.niap-ccevs.org/Profile/Info.cfm?PPID=394&id=394) required for this competition - The app avoids the [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10/) security vulnerabilities # Technical Notes ## Ian's brainstorming notes [paper on permissible image transformations](https://www.cs.tau.ac.il/~tromer/papers/photoproof-oakland16.pdf) - this doesn't make sense to me because cropping an image is "permissible" by this standard but someone could be cropping out an important part of the image that changes the story. So it really is up to the human to decide if the image has been changed significantly. So they need either the original image or a way to generate the original image to judge the edits. **How to prove provenance of an image from public?** **Problem:** who can be trusted to be a good actor/human? 1. Each device's signing keys are associated with x images/data points 2. the more these data points vary from others, (the more unique the key appears to be in their actions), the more likely the key is owned by an autonomous person 3. the more of these real people signatures + supporting data points you can gather from the mesh to support your image, the higher the likelihood that you haven't taken an image and signed the image with a host of your own devices (sybil attack) 4. peers on the mesh could sign GPS + other sensor data if they fall within an acceptable range of their own device's sensor data 5. problem: 6. if your signing keys are exposed, anyone can find your location history by tracking your signatures for images. This would only be if the metadata was published on chain. 7. solutions: 7. Only hashes are stored on chain that link to encrypted IPFS addresses a la Textile that you can permission to only one person thereby not exposing any other peoples' signatures. If everyone's signatures are hidden though you can't prevent a sybil attack by figuring out who has real keys. However, if the other signers show that their signature is connected to their DID with a credential like a license, you could prevent sybil attacks. This would require the person's permission though, so the system isn't automated. This wouldn't work for the social media API but would work for something like a subpoena - whenever the image provenance+integrity is really important. 9. You only sign requests from people you've added to your trusted peer list, (lol who is going to actually do this - it has to use some other measure) 10. you have multiple siging keys Idea: Given that hashing images on the chain only provides a timestamp of the recording, how do you coarsely know, (as Facebook or Twitter) that an image someone uploads is close in time to the actual event? You'd want an analysis of the content and then an API to query about whether an event such as that (speech, concert, earthquake, fire, etc.) happened during the time + place the person claims. This could guard against synthesizing a video after the fact. Seems like a super hard problem though, for the example of the deep fake of mark zuckerburg giving the speech about spying on people, he may have given a speech the same day about something else. Assuming that fake news can't be eliminated overnight, at least this solution narrows the scope of opportunity that someone can upload synthesized information, i.e. it has to coincide with a similar event. ### How do we create a corro plugin that works online and offline 1. **Configure:** 1. hash module 2. storage module local and/or cloud 3. DID/Signing module: 1. optional: log who are your trusted peers - accepting from, pushing to. Quasi credential layer - e.g. "I trust this person" 5. corroborator peers module: 1. hash receipt and/or file receipt 2. corroborator opt-in supply: 3. mesh 4. chat 6. web3 publish module 7. Trusted/trust peers module 1. which users you will accept validation requests from 2. need a request trust peer method 2. **Single high level api** ## Reporter app: #### Overview: 1. **Databases:** 1. **Image Data DB:** 1. Add(ImageRecord) 2. **Logbook Transaction DB:** 1. Key : logBookAddress, Value: [LogTransaction] 2. get(logbook) 1. Either goes to local DB 2. Or to full node/ block explorer 4. add(log transaction) 1. start just by gathering peer metadata + signatures for x seconds, and then publish directly to the chain when on wifi 2. Optionally in the future, we can use tor to pass the transaction until we get a trusted peer and log the transaction in their queue until they get wifi 3. **Peer DB:** 1. isTrusted(peer), getAllPeers() 2. trust(peer) 2. **Mesh API:** 1. listen(peer, hash) 1. sign hash and add my own location and timestamp 2. request(myPeerID, hash) 1. get signed hash with metadata and then when x peers have signed, publish transaction to chain 3. **Wallet/Blockchain light client** 1. HD wallet to produce new addresses 2. funding transactions through mixer/coinjoin to fund the wallets 3. Each new address sends itself transactions with the Log Transaction Data 4. **Auditor Window (both reporter and auditor)** 1. Pass logbook (blockchain address) to pull up logs either from local DB or block explorer or trusted full node - same as get(logbook) API from above 5. **Logbook communication Reporter<->HQ** 1. Send txn from logbook or reporter's ID to HQ with logbook address 6. **Reporter ID/DID** 1. Is this issued from HQ or generated from the HD wallet? #### Log Transaction Data schema: #### Order of ops TODO: 1. multihash image file and metadata and save hash +image to protected storage 2. if online, submit file to ipfs endpoint to get a CID - if user prefers, also pin image to ipfs 4. publish multihash and CID to peers 5. publish multihash and CID to blockchain --- # Market Research ## Other use cases: City use cases: - PD - clerk - voting - pics of ballots? - user keeps. - can verify that exact pic was used to tally vote. - bake in vote metadata into the image itself! - could *just* be metadata - the JSON hash verifiable.... BUT! that is easy to expose - as data is very small (guess and check) so with image, "feels" better, but also is better for security. - Notary // cert issuance - user submits a doc - hash&stash - notary signs - locks on chain as a CERT. referencing the initial doc. - ***provable records bounty @ethden!!*** - internet archive - for provable state data w/ outside backups Commercial: - reporters - take live fottage / atricles in the field. prove it latter. - ALSO used by anyone to verify the metadata and timestamp of original file. - supply chain - delivery services - whistelblower - this qualify us for grants? - private commit / reveal for logs OR per file - whistelblower (disgruntled spouse?) - IoT data - clutser of devices to do mesh - checkpoints / major events go on chain - The wyomesh idea of survelace - internet archive - croud sourced on ipfs, we provide bx stamp Internal data audits. - Be sure your data is not corrupted or manipulated! Ipfs is solution. Blockchain provides 3rd party audit. - Other corro networks can be used to corroborate this. - bx fingerprint checkpoints - so you have 3rd party auditor Use for cars and traffic cams on same network. * For accidents you get all sides of the story locked in. * only pass fingerprint to others to sign, they can't tell what data is. only that you are requesting sig. * Use for insurance claims. All parties involved takes pictures and are using app to corroborate on mesh. Thus automatically giving unbiased corroborating signatures to everyone's data. Plug in for insurance app? Could be used in place of police report... Commit reveal for sensitive data. Able to publish fingerprints and then expose data later. Confidential data security for integrity and proving provenance. --- # Meeting Notes ### 2/26/20 Jessie Lambert notes (Ian) > **Personal Cell: 720-231-1570** Departments give out iPhones, they’re super cheap Problem: DA’s office takes the entire drone, takes the SD card from DSLR, most of the time the officer just uses their phones and pays axon a large fee He definitely wants to be able to crop photos - then uploads them to Axon’s evidence.com For a typical crash, he takes 80-100 photos Each photo: Case number, what it is, retention policy DA’s office wants labels on every single photo Axon only allows bulk, so jessie has to go back in and edit each photo’s label How much does the DA determine? It seems like the DA gets a lot of say in what departments implement. They pay axon per gig of image - Jessie’s body camera was running for 10 hours, audio and video. 5 car fatal crash. Retained pretty much forever. They’ve gone over their bulk storage several times. They get charged separately for body cameras vs pictures. Erie decided not to go the photo route to not have to pay extra. They upload everything to a separate server. Every time jessie logs in to watch the body camera, axon logs the watch/view of a photo with a timestamp. None of jessie’s photos have been questioned but department’s will send out warnings if anything bad happens. Denver has 1500 officers, Erie has 30, Dacono has 8 officers 3 sergeants, and a chief, Also code enforcement uses Axon. Corro Pro’s: saving dept money, make DA happier? Future: ensure that program information is super easy to understand/read/present to a jury, i.e. don’t do a timestamp from seconds, make it easy to read. Make an evidence report for each image. Abbreviations are spelled out. ### 2/25/20 OST notes They like what we’re doing though and are passionate about the use case, making police officers accountable. They’re going to get more decentralized, but their main net is in alpha rn He thinks tender mint would be great for this but there’s no mixers on cosmos and there would be a lot of set up. We could have a collector/API that collects these hashes and then publishes them via api, but poses a censor point. They suggest using a federated chain that watchdogs and police departments run. They said don't hesitate to get in touch with them for questions and technical support. ### 2/10/20 Notes from meeting with Carson 1. Core on mobile via parameters passing - is node on mobile that doesn't accept incoming connections low-energy? - don't want a full node 3. 2 options: 1. node - don't host locally, mobile peer might not be online, probably won't be. 2. the light client - 4. He tried personally a number of times to get crytpo apis to work on react native - was the wrong rabbit hole 5. Idea: just hash the the file locally when offline, and then when online upload to ipfs. Auditor module pulls file from ipfs and converts it to the full file and then hashes it to do the check. #### takeaway: Don't try and run an ipfs node on mobile yet, instead try out this OOO: 1. multihash image file and save hash to protected storage 2. if online, submit file to ipfs endpoint to get a CID - if user prefers, also pin image to ipfs 3. publish multihash and CID to peers for them to add their metadata + hash + signature 4. publish multihash and CID to blockchain ### Notes from meetings 2/7/20 w/ Gary - Can we know the judges? What about the people in attendance? How to taylor the pitch. - public safety , CIOs from cities, Rep from firstnet @ AT&T (app eecosystem for first responders -- might be able to work with them contract/ sell to them? -- no cost to list?), Telcos - WILL NEED: test devices for the May 1st event to show judges our app - Margreat kenson - com scienceses - assess image quality -- user exeience - mike L - applied cyber - computer forenz. & software systems. ### feedback on Corro - Strengths - off-online mode clean good - viable - pro that it's decentralized - weakness - always stored in cloud? claimed this was no true - had to use itunes? to tx file - UX on website had to use - all combined into on interface - want many logbooks - users needed key felt less secure? - offline mode (no itegrity check untill online) - on iOS - needs mesh - confidence levels of tamper-proofness - Strong encouragement - find a way to make it work without upload - levels of assurance of image provenance, etc. - needs a scale== Strongly want never uploading uploading off device. - want to NOT get on the web if we say so - can choose, default is they are not uploaded. *** offline first is key to try and assure provenance and integrity. want a validation tool that is more expressive - explain how confident you are in data being the same - offline vs online - how confident. - pass CID around - but not data by defalut - gaurd against metadata leaks about the user. - Need to explore all exploits that we might expl - Homeland -- safecom DHS resources!!! - GIT revision history would be nice - ability to make mods and update record. - might be out of scope for this. would be good. ## Q/A for first meeting T2P - what is the market need they see? - **TBD** we need to find our own market - Win these finals vs. seed round? - What is the startup they want to see come from this? - What are we missing and need to work on? to win and for startup? - Other customers than the government? - **PSCR, NIST is not end consumer. Startup should not try to sell to them - e.g. of current gov't customers could be public safety agencies (Denver police department, first net authority). Fire/police/public safety orgs helped design the problems. Gary encourages us to think very broadly. 1st responders are rather small. Try to think of larger market/audience. MARKET RESEARCH with local public safety orgs, agencies.** - Seed round has 60/100 points outlined in rules...? - **Craig will talk to Gary about this** - What other team members do we need? - Allies in IPFS and ETH - more mentors/advisors/... investors? - How possible is it get more interactions with tech experts? - SLACK maybe - TBD - How important is extensibility past needs for NIST/this event? - Do we start from scratch or polish what we have? - To what degree of hacker should we plan on defending from? I.e. decompiling software and modifying it to submit altered CIDs, etc? - What are we defending against? "Threat Model" - Other security features we need? - compliance with standards in challenge description - how much permissioning ability is important? - Data ONLY on device required? Really? - OWASP https://owasp.org/www-project-top-ten/ - NAIP - Biometrics? vs. keys? - Do they want to see multiple devices working at once? - how many people should be able to use on demo day? Just for us to demo or for many to try at the event? ## Meeting with Legal Pros Notes - Bate Stamping use case (https://en.wikipedia.org/wiki/Bates_numbering) - Text message and document manipulation detection - Time stamping logs and reports - Misconduct reports for the military. Proving you took a note no later than when fingerprint is logged - Downtime on secure data file transfer systems is MAJOR problem!!! - ## App Data Flow ### Reporter 1. take pic 2. IPFS -> CID 3. ETH/ DLT tx (msg, signed) 4. Check for peers (do once) - send CID - get signed CID w/ timestamp (signed how?) - ask to sign and make new ETH/DLT tx - new tx? send that one (ask to) - No peers? send orginal TX - *see other peers work* 5. check online (see a full node) - yes? broadcat - No? contine *see other peers work* ### Reporter Peers listening on mesh (permissioned or public?) 1. CIDs only offline (optional, permissioned per peers) - Manually setup peers to corroborate with - QR code? or by HQ to setup for you - listen for know peers (signed msg) of CID (meta data is not needed, but we need to check peer ID on mesh is valid.... does that leak metadata?) - sign CID with timestamp and location and send back 2. ETH/DLT Tx offline (defalut, everyone) - listend for valid peer TX (by signature) and store it - broadcast when online ### Offline orignal Reporter 1. try to get online - check for TX on chian - Yes. nothin. - no? broadcast - check (optionally) that HQ you want to have full data files - yes? done - No? send it (via IPFS) -- NOTE HQ would need to digest file and send that tthey got the same CID as the original peer's data. ## Advantages over Cloud Providers - Self-hosting is as easy as downloading an app and double-clicking - Open-source infrastructure means you get development for free - Self-hosting is cheaper - Portability - No single point of failure - at critical mass, files storage needs no servers, only peers on a mesh ## Roadmap - react (native and PWA) for app UI, but use simple android plugin/lib that runs IPFS light client to make CIDs and talk to IPFS peers - Dan to work on UI mostly - Ian to work on IPFS android - ??? Ask Wes about rust IPFS for Node/core? - On mobile, we don't want a node? - heavy on batery usage - Don't chunk and - Call with carson - TBD after ethdenver ## OLD ## DNSummit - 9am slot - description and put on DSNsummit site - DAN - Start new slides for ~30 minute talk & demo - IAN - What is Corro - why IPFS? (hash, content addressing, mesh, priv. and perm. soon!) - Why mesh - why ETH/any blockchain or DLT (permanance) - Demo corro reporter and auditor - Far furture: - sharded data privately randomly spreaded by peers. ## [Slides here](https://docs.google.com/presentation/d/19L1GSziVAkcSWSmaLeyNpGgH3Y3ihxuhFPibT7QV7OY/edit#slide=id.g73d3da7f01_0_60) --- ## Done - emailed Gary on this - What we want to see in a mentor - Ideally a mentor who can connect us with forensic evidence takers, 1st responders, police officers - Someone who has perhaps had experience in one of those positions - Someone with cybersecurity/blockchain/image security experience - Someone with a large network of public safety officials - (dan) - A founder or exectutive of a successfull startup in first resopnder tech - a chief or lead of a emergency services company/service that deals with photographic evidence for people under them and understands the value of solving Challenege 9 first hand. - A legal professional that has dealt with (ideally many) cases involving forged or otherwise tamped with data that could speak to solutions needed - We'd like contact with Michael O or other cybersecurity/blockchain experts --- ## Funding Potentials: ### Fediral Grants - https://www.sbir.gov/about/about-sbir ***(and or)*** https://www.sbir.gov/about/about-sttr - Steve from SBA that said Corro might qqualify if we are making a solution for the feds. He will intro to contacts to help us if we wanna do it. - Stephen J. Collier, Economic Development Specialist - U.S. Small Business Administration - Cell (720) 883-1714 - stephen.collier@sba.gov