Ask Me Anything: SecureDrop

Abridged and Remixed (or “Untangled”)
Below is an abridged version of the SecureDrop AMA with casual comments and content unrelated to questions removed for ease of reading. Questions are in bold and have been matched up with related responses which are in italics. You can access the full unabridged transcript on the Localization Lab Mattermost channel.

 SecureDrop Attendees:

@redshiftzero: Lead Developer
@dachary: Contributor, admin for Weblate.SecureDrop.club
@fpoulain: Contributor, sysadmin for SecureDrop.club

erinm: We have one question from twitter: "How can freelancers, without institutional support of a big media company, install secure-drop or ensure they have a similar facility for whistle-blowers to contact them securely? Independents with specific beats could really use this functionality but don't have the resources."

dachary: It really depends on which country you live in. If you're in the USA, Freedom of the Press Foundation would be the non-profit to go to and ask for help.
If you're in Europe, there are a few volunteers who can help. I actively support a few french investigative journalists who do not have the means to pay for professional support.

redshiftzero: Yeah right now in terms of financial costs you need to spend about 1.5k in hardware but reusing older hardware can help. for journalists that are not technically oriented finding a volunteer admin (someone like @dachary ;)) is usually the most common way to get a securedrop up and running for a single journalist.

dachary: I was also able to provide hardware (because 1.5k is a lot of money for a journalist). Hackers are good at refurbishing used hardware that cost very little.

dkaurin: How easy is SecureDrop to use? What level of technical skill would one need? I actually haven’t seen a demo, Idt.

redshiftzero: As a journalist it is relatively easy to use and does not require special technical skill, but to administer the securedrop instance you do need to find someone who is comfortable doing basic linux administration.
A technically skilled journalist can also act an administrator (we have people doing this in a few cases) but most commonly they are separate roles. 
And there is a demo of the web application that journalists use at: http://demo.securedrop.club/ if you use the credentials on the page after clicking on "journalist interface."

dachary: From a localizer point of view, SecureDrop is super easy: there only are ~250 strings to translate. And in addition to what @redshiftzero points to, http://source.i18n.securedrop.club/ is a demo dedicated to localizers, with frequent updates with the latest strings.

redshiftzero: by the way:

provides a high level view of the flow for sources / journalists.

dkaurin: And with that actually—are there other use cases for SecureDrop? For human rights organizations, for example.

redshiftzero: Any organization that has a need to get data from anonymous people might benefit from a securedrop instance.

erinm: So the tool can really apply to more than just "traditional" media organizations.

dkaurin: Awesome—I think that would be useful for folks to know. Do you have any examples of use within HROs yet?

dachary: Some human right organizations need very high level of security and SecureDrop. Most of them need to get out of Dropbox / Google Drive and self-host with something like Nextcloud.

redshiftzero: We do have some organizations that aren't news orgs - e.g. greenpeace - using securedrop, but i'm not sure of any in the HRO context off the top of my head.

D: Do the instances hosted by the people get administered by the Securedrop team or by them?

redshiftzero: @D: instances are administered by the news organization or non-profit itself (usually by their IT staff)

D: Do securedrop supports the new V3 of Tor?

redshiftzero: @D: so for background v3 onion services are Tor's latest version of onion services which provide server anonymity (the changes in v3 are described in brief https://blog.torproject.org/tors-fall-harvest-next-generation-onion-services) - we are not supporting v3 of Tor onion services yet, but we plan to migrate the source interfaces over (tracking here: https://github.com/freedomofpress/securedrop/issues/2951)

One more note on the onion service question: one challenge we have for migrating the journalist and SSH interfaces away from v2 onion services is that we make heavy use of a feature of v2 onion services that provides client auth (HidServAuth) which makes it such that only users that have a special cookie can even connect - that is not yet in v3 onion services but hopefully will be soon.

erinm: On that note, do you have more examples of organizations, media or otherwise, currently using SecureDrop? And do you know of any using localized versions in particular?

dachary:

• https://theintercept.com/ is English, Portuguese
• https://www.nrk.no/ is English, Norwegian
• https://www.apache.be/ is English, Dutch
• https://jean-marc.manach.net/securedrop.htm is English, French
• https://www.wereport.fr/ is English, German, French
• https://www.heise.de/ is German, English

    
kwadronaut: There's French and Dutch at https://apache.be/securedrop/ however, it can be improved a lot (ie: showing the right content depending on accept language header).

erinm: Have any organizations asked for localization support for a language not currently available?

redshiftzero: Hmm, there is at least one organization that started installing securedrop before their primary language was available - they have not announced yet so i can't share their name yet unfortunately.

erinm: No need to share the organization name, but if possible, interested in hearing the language that is in need so that we can prioritize finding individuals to support it.

redshiftzero: The language is arabic!

dachary: I heard of one news organization who was interested in having a SecureDrop in Arabic.

Now that @d finished reviewing Hindi... I'm hopeful an organization will use SecureDrop in India.

It has been suggested that the landing page content suggestion are translated so news organizations like the intercept do not have their landing page in english only.

It would also be great to have investigative journalists provide SecureDrop in Arabic so the good work from @r and others is put to good use. There is a tricky chicken and egg problem: should the installation come first or the translation?

D: How do you check the authenticity of the files or data people send? Have you ever had instances where the info wasn't real?

dachary: We are developers and we do not actually handle any document. But journalists do and that's challenging indeed

redshiftzero: People do send false information through securedrop - but @dachary is correct - we leave it up to news organizations to verify the authenticity of the documents. they can use document metadata, cross-checking with other sources ("does it sound reasonable that...") to validate what they are getting is accurate.

dkaurin: How would a potential whistleblower know whether or not a media org has SecureDrop?

redshiftzero: Potential whistleblowers ideally will find out an organization has securedrop through the news organization itself - this might be through the physical newspaper (some include the securedrop address on the front page or in ads in the news paper) or from the news organizations website, e.g. https://theintercept.com/ has a "Become a source" link in their sidebar.

dkaurin: And the SecureDrop directory? Is that up to date? Do you know of everyone who uses SecureDrop, or can orgs download and use independently?

redshiftzero: We have a bit of a backlog in terms of getting people into the official directory at https://securedrop.org/directory - the reason being there is a validation process where we make sure that the landing page does not have unsafe trackers, etc. and that the securedrop was installed following the official recommendations

Organizations can download and use securedrop without needing to talk to the securedrop team

D: Since some governments use DPI and block Tor network, how would people send info from that region?

redshiftzero: In such a case, to access securedrop, a whistleblower can use gettor to get the tor browser (https://www.torproject.org/projects/gettor) and a bridge to circumvent censorship in their region. an organization that is trying to contact sources from such regions such include language to this effect on the page on their website that explains how to use securedrop (we call this the "securedrop landing page" - here's an example: https://theintercept.com/source/)

erinm: Do you do any outreach to organizations who would benefit from using SecureDrop? How to organizations find out about you?

redshiftzero: I know of another organization that had a billboard with their source interface onion address outside a certain US government agency to solicit leaks, heh

Right now freedom of the press foundation is no longer doing outreach to organizations we think could benefit from securedrop, so most organizations are finding out from other organizations that use securedrop - i.e. they see the tips page of another news org and think "oh we should have that too"

We [freedom of the press foundation] used to do outreach to news organizations to try to get them to install it back when the use of a whistleblowing platform was more uncommon, but in the past few years many major news organizations have started using them (e.g. the new york times, the washington post, etc.) so we no longer need to do so

S: I have a friend who is Bosnian. Can anyone explain which link I could send to him?

dachary: The localization guide has everything.

Ideally this friend would also know an investigative journalist willing to use SecureDrop. We can help them get started.

dachary: having SecureDrop translated in a given language is great. But it also needs to be used in order to be sustainable. I can imagine it is frustrating to translate and wait months for the work to be displayed to the public.

erinm: I think there are quite a few organizations that would be interested in using SecureDrop in Arabic. The key is outreach. Going back to @redshiftzero 's response about outreach, it is too bad that there is no active outreach/marketing effort. This is a key aspect of post-localization life of a tool. We should brainstorm some ideas for outreach for at least the currently available locales.

C: An idea about the post-localization life of a tool is to ask the organizations that use SecureDrop to release a note or an article about SecureDrop, saying additionally that anyone can use it.

erinm: I wonder if incentive can be given to orgs already supporting SecureDrop to volunteer resources to small media orgs or freelancers?

D: Like providing the Yubico keys?

dachary: https://www.nitrokey.com/ is my personal favorite replacement of Yubikey

C: Even if it is not sustainable to localize in languages that have no user, in some cases that might still be a good option when it is a language largely spoken, such as arabic.

erinm: +1 I was just about to say the same. What I would recommend is reaching out to potential users and collaborators in parallel to gauge interest and get feedback and start to build a network to support the tool for that language/region.

erinm: Like @C mentions, for Arabic, Spanish, French etc. and other large language groups this is less essential because of the sheer number of speakers and potential users, but for small language groups, minority languages etc, this will be quite important.

D: It would be great if the organizations can display the securedrop in the landing page where people can see it, which has all the instructions to be followed

dachary: I think the major blocker for most journalists is that they do not understand most of the security concepts and practices that it requires. The Freedom of the Press Foundation trainings, as well as other similar programs all around the world gradually help them to better understand Tor, 2FA and other aspects of infosec. It will take a long time but we'll get there.

dkaurin: My next question, as a whistleblower, would be how exactly does it work? How does it keep me anonymous? Would the person receiving the doc know my identity, and wouldn’t they eventually have to confirm my identity?

Redshiftzero: As a source, you are anonymous because you are using the tor anonymity network - so a network observer cannot determine you are using securedrop, and the journalists at the news organization cannot determine your identity. that said, in your messages to journalists you can choose to reveal your identity if you trust the organization.

dachary: In addition to what @redshiftzero said sometime the source anonymity is compromised for [reasons unrelated to SecureDrop or the journalist](https://forum.securedrop.club/t/journalist-assessment-of-a-source-at-risk/557)

d: I'm not sure journalist in India aware about these kind of tools. Any thoughts @D?

D: I heard few chatter about it few months back. It is mostly kept under wraps and also I don't know if anyone from India hosts the securedrop instance.

dachary: Journalists covering Aadhaar would be good people to talk to.

D: The case going on in Supreme Court

After the "Elliot Anderson" revelations more people started to see the problems in Aadhaar.

dachary: What do you miss most, as a SecureDrop localizer? How can we (developers) make your life better?

d: what do you miss most, as a SecureDrop localizer? -> Hope more users use localized version of securedrop. Developer can't spread awareness about it but securedrop org can do.

D: Have you ever faced security breaches on securedrop or the hosted by the organizations?

redshiftzero: So far we are not aware of any securedrop instances being hacked, though there have been a few vulnerabilities and proof of concept attacks like this one https://securedrop.org/news/security-advisory-do-not-scan-qr-codes-submitted-through-securedrop-connected-devices (note: we wrote a document asking security researchers not to attack production instances after this event - we do welcome security research and have a bounty at https://bugcrowd.com/freedomofpress for anyone that is interested)

D: Do you have support for the U2F, if yes what are the products you recommend?

Redshiftzero: We currently support only HOTP, TOTP for two factor auth (for HOTP we recommend and test Yubikeys but we don't strictly require their use)

erinm: A comment from Twitter: Would be a very interesting @Squarespace integration

dachary: I'm not sure what the question means.

erinm: I think the individual is suggesting they would like a way to integrate SecureDrop with a SquareSpace site.

dachary: Since it is advertisement based, it pretty much defeats the idea of anonymity I'm afraid

D: Do securedrop host any trainings or webinars for organizations, specifically to tackle the problems in deploying the securedrop instance?

Redshiftzero: freedom of the press foundation does offer trainings for administrators (you can request help here: https://securedrop.org/help) and you can also ask any questions you have as you are deploying securedrop at https://forum.securedrop.club/c/support

erinm: What are your highest localization priorities right now, and why?

dachary: We have priorities and deadlines listed at https://forum.securedrop.club/t/about-the-translations-category/16

Review: Arabic, Finnish, Romanian, Russian, Swedish are the priority one items, with a focus on Arabic but @r already did most of the work.

I would very much like to see Kurdish Kurmanji : it is my mission in life

erinm: And are these priorities based on an identified need? Or just on the progress of translation?

dachary: just progress.

D: Have you ever faced problems since you work on securedrop from any authorities or organizations who knows your work?

dachary: I feel very safe working on SecureDrop as a developer. No pressure, very relaxed and friendly community. And the authorities did not manifest themselves at my home or during my travels.

Redshiftzero: Nope, no issues so far! i think some might see securedrop as a controversial tool, but really it is just preserving what has existed in news organizations for a long time - the anonymous tip line - in the presence of the mass surveillance that now exists in many countries.

D: Difference between "OnionShare" "Securedrop" "GlobalLeaks"?

Redshiftzero: Onionshare provides synchronous file sharing, e.g. the source would need to be online at the same time as a journalist to transfer - still useful but slightly different use case (though i hear the feature set might be increasing in coming releases...). in terms of globaleaks, my understanding is that securedrop is more targeted at news organizations specifically, and we also make an assumption that the adversary have very sophisticated technical capabilities so we do a lot of hardening for all securedrop instances (e.g. all securedrops install a hardened kernel) to mitigate those threats

erinm: If people have follow-up questions, what is the best way for them to communicate with you?

Redshiftzero: If others have questions or suggestions, they can feel free to drop into our regular chat at https://gitter.im/freedomofpress/securedrop or our forum at https://forum.securedrop.club/

erinm: And, are there any closing remarks or things that you would like the Localization Lab community to know?

redshiftzero: Just a huge thanks for all the excellent contributions so far!