1 files changed, 90 insertions, 0 deletions
diff --git a/README.security b/README.security
new file mode 100644
index 0000000..335c537
--- /dev/null
+++ b/README.security
@@ -0,0 +1,90 @@
+Warning
+=======
+Mat only removes metadata from your files, it does not anonymise their
+content, nor can it handle watermarking, steganography, or any too custom
+metadata field/system.
+If you really want to be anonymous format that does not contain any
+metadata, or better : use plain-text.
+Implementation notes
+======================
+Symlink attacks
+---------------
+MAT output predictable filenames (like yourfile.jpg.bak).
+This may lead to symlink attack. Please check if you OS prevent
+against them
+Test suite
+----------
+Formats that are not in the test suite are not well-tested,
+please do not trust the MAT about them!
+Threat Model
+============
+The Metadata Anonymisation Toolkit adversary has a number
+of goals, capabilities, and counter-attack types that can be
+used to guide us towards a set of requirements for the MAT.
+Adversary
+------------
+* Goals:
+    - Identifying the source of the document, since a document
+    always has one. Who/where/when/how was a picture
+    taken, where was the document leaked from and by
+    whom, ...
+    - Identify the author; in some cases documents may be
+    anonymously authored or created. In these cases,
+    identifying the author is the goal.
+    - Identify the equipment/software used. If the attacker fails
+    to directly identify the author and/or source, his next
+    goal is to determine the source of the equipment used
+    to produce, copy, and transmit the document. This can
+    include the model of camera used to take a photo, or
+    which software was used to produce an office document.
+* Adversary Capabilities - Positioning
+    - The adversary created the document specifically for this
+    user. This is the strongest position for the adversary to
+    have. In this case, the adversary is capable of inserting
+    arbitrary, custom watermarks specifically for tracking
+    the user. In general, MAT cannot defend against this
+    adversary, but we list it for completeness.
+    - The adversary created the document for a group of users.
+    In this case, the adversary knows that they attempted to
+    limit distribution to a specific group of users. They may
+    or may not have watermarked the document for these
+    users, but they certainly know the format used.
+    - The adversary did not create the document, the weakest
+    position for the adversary to have. The file format is (most of the time)
+     standard, nothing custom is added: MAT
+    should be able to remove all meta-information from the
+    file.
+Requirements
+---------------
+* Processing
+    - The MAT *should* avoid interactions with information.
+    Its goal is to remove metadata, and the user is solely
+    responsible for the information of the file.
+    - The MAT *must* warn when encountering an unknown
+    format. For example, in a zipfile, if MAT encounters an
+    unknown format, it should warn the user, and ask if the
+    file should be added to the anonymised archive that is
+    produced.
+    - The MAT *must* not add metadata, since its purpose is to
+    anonymise files: every added items of metadata decreases
+    anonymity.
+    - The MAT *must* handle unknown/hidden metadata fields,
+    like proprietary extensions of open formats.

diff --git a/README.security b/README.security new file mode 100644 index 0000000..335c537 --- /dev/null +++ b/README.security
@@ -0,0 +1,90 @@
	1	Warning
	2	=======
	3	Mat only removes metadata from your files, it does not anonymise their
	4	content, nor can it handle watermarking, steganography, or any too custom
	5	metadata field/system.
	6
	7	If you really want to be anonymous format that does not contain any
	8	metadata, or better : use plain-text.
	9
	10	Implementation notes
	11	======================
	12	Symlink attacks
	13	---------------
	14	MAT output predictable filenames (like yourfile.jpg.bak).
	15	This may lead to symlink attack. Please check if you OS prevent
	16	against them
	17
	18	Test suite
	19	----------
	20	Formats that are not in the test suite are not well-tested,
	21	please do not trust the MAT about them!
	22
	23	Threat Model
	24	============
	25	The Metadata Anonymisation Toolkit adversary has a number
	26	of goals, capabilities, and counter-attack types that can be
	27	used to guide us towards a set of requirements for the MAT.
	28
	29	Adversary
	30	------------
	31
	32	* Goals:
	33
	34	- Identifying the source of the document, since a document
	35	always has one. Who/where/when/how was a picture
	36	taken, where was the document leaked from and by
	37	whom, ...
	38
	39	- Identify the author; in some cases documents may be
	40	anonymously authored or created. In these cases,
	41	identifying the author is the goal.
	42
	43	- Identify the equipment/software used. If the attacker fails
	44	to directly identify the author and/or source, his next
	45	goal is to determine the source of the equipment used
	46	to produce, copy, and transmit the document. This can
	47	include the model of camera used to take a photo, or
	48	which software was used to produce an office document.
	49
	50
	51	* Adversary Capabilities - Positioning
	52	- The adversary created the document specifically for this
	53	user. This is the strongest position for the adversary to
	54	have. In this case, the adversary is capable of inserting
	55	arbitrary, custom watermarks specifically for tracking
	56	the user. In general, MAT cannot defend against this
	57	adversary, but we list it for completeness.
	58
	59	- The adversary created the document for a group of users.
	60	In this case, the adversary knows that they attempted to
	61	limit distribution to a specific group of users. They may
	62	or may not have watermarked the document for these
	63	users, but they certainly know the format used.
	64
	65	- The adversary did not create the document, the weakest
	66	position for the adversary to have. The file format is (most of the time)
	67	standard, nothing custom is added: MAT
	68	should be able to remove all meta-information from the
	69	file.
	70
	71	Requirements
	72	---------------
	73
	74	* Processing
	75	- The MAT should avoid interactions with information.
	76	Its goal is to remove metadata, and the user is solely
	77	responsible for the information of the file.
	78
	79	- The MAT must warn when encountering an unknown
	80	format. For example, in a zipfile, if MAT encounters an
	81	unknown format, it should warn the user, and ask if the
	82	file should be added to the anonymised archive that is
	83	produced.
	84
	85	- The MAT must not add metadata, since its purpose is to
	86	anonymise files: every added items of metadata decreases
	87	anonymity.
	88
	89	- The MAT must handle unknown/hidden metadata fields,
	90	like proprietary extensions of open formats.