Anonymous Whistleblowing with SecureDrop

Transcript

1. Anonymous Whistleblowing with SecureDrop
   Jennifer Helsby (@redshiftzero)
   SecureDrop Lead Developer
   Mozilla Festival 2017
   SecureDrop Release Signing Key Fingerprint:
   2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77
   

   View Slide

2. What you’ll leave with
   • An understanding of the challenges journalists face keeping sources safe
   • A high-level view of the SecureDrop architecture
   • You’ll have leaked your first document
   • An understanding of how you can contribute your skills to SecureDrop if you
   wish
   • Discussion and questions
   

   View Slide

3. Some of the most important stories in investigative journalism
   have come from whistleblowers.
   

   View Slide

4. picture of all the presidents men
   In the past, journalists could protect their sources by simply
   not revealing their identities when asked
   Still from “All the Presidents Men”, a film adaptation of Carl Bernstein and Bob Woodward’s reporting on the Watergate break-in
   

   View Slide

5. GCHQ surveillance base in Bude, UK. Image credit: Trevor Paglen
   “SecureDrop restores the effectiveness of a reporter’s privilege to protect their
   sources through principled non-cooperation—such as refusing to testify in
   court—whereas pervasive digital surveillance has made this gesture effectively
   moot over the last decade.” - Charles Berret, Tow Center for Digital Journalism Report on SecureDrop
   

   View Slide

6. View Slide

7. SecureDrop
   • No third parties: Each organization using SecureDrop operates its own
   independent instance
   • Encrypts data in transit and in rest
   • Minimizes metadata trail between sources and journalists
   • System hardening to protect against hackers
   • Free and open-source
   

   View Slide

8. View Slide

9. Current SecureDrop Team
   our Ford-Mozilla Open
   Web Fellow!
   + contributors prototyping next generation
   SecureDrop workstation
   

   View Slide

10. View Slide

11. … more at https://securedrop.org/directory
    

    View Slide

12. How do sources find out about SecureDrop?
    

    View Slide

13. View Slide

14. View Slide

15. View Slide

16. View Slide

17. View Slide

18. You should download and use Tor Browser to stay anonymous
    online and provide cover for those that rely on Tor to stay safe.
    https://torproject.org
    

    View Slide

19. How does SecureDrop work?
    

    View Slide

20. SecureDrop server
    Source
    A source submits
    documents to an
    organization’s
    SecureDrop server
    

    View Slide

21. “Source interface”: Web application running on a Tor onion
    service (*.onion) advertised by the news organization
    

    View Slide

22. SecureDrop server
    Source
    They are stored
    encrypted on the
    SecureDrop server.
    

    View Slide

23. SecureDrop server
    Journalist
    A journalist logs in to
    SecureDrop to look at
    recent submissions.
    

    View Slide

24. “Journalist interface”: Web application running on an
    authenticated Tor onion service kept secret
    

    View Slide

25. SecureDrop server
    Journalist
    She downloads the
    encrypted documents.
    

    View Slide

26. SecureDrop server
    Journalist
    She downloads the
    encrypted documents.
    

    View Slide

27. Journalist
    Secure Viewing Station
    She moves the encrypted
    documents to a special computer
    used for viewing SecureDrop
    submissions.
    

    View Slide

28. Journalist
    Secure Viewing Station
    This air-gapped computer contains
    the decryption key for the
    documents.
    

    View Slide

29. Journalist
    Secure Viewing Station
    The journalist decrypts the
    documents.
    

    View Slide

30. Journalist
    Secure Viewing Station
    She reads them and can publish
    stories based on their content!
    

    View Slide

31. View Slide

32. Now it’s your turn
    1. Download Tor Browser from: https://torproject.org
    2. Go to pu7yqpfi5cn6sow7.onion and submit a document or
    message!
    

    View Slide

33. How you can help
    

    View Slide

34. Localization
    

    View Slide

35. Help us translate SecureDrop!
    • Get started translating SecureDrop: https://weblate.securedrop.club
    • Join our community forum: https://forum.securedrop.club
    https://www.localizationlab.org/
    

    View Slide

36. View Slide

37. Internet-connected VM
    Disposable VM not
    connected to the internet
    Journalist Workstation
    

    View Slide

38. Help us write code or documentation for SecureDrop!
    • Install SecureDrop: https://docs.securedrop.org/en/stable/overview.html
    • Help us develop SecureDrop:
    • Developer documentation: https://docs.securedrop.org/en/latest/development/
    getting_started.html
    • Server code and documentation: https://github.com/freedomofpress/securedrop
    • Journalist Workstation: https://github.com/freedomofpress/securedrop-
    workstation
    • Developer mailing list: [email protected]
    

    View Slide

39. Thanks
    • Please come and talk to one of us after if you are interested in helping out!
    • Translation: https://weblate.securedrop.club
    • Code and documentation: https://github.com/freedomofpress/securedrop and
    https://github.com/freedomofpress/securedrop-workstation
    • Chat with us:
    • https://forum.securedrop.club (forum)
    • https://gitter.im/freedomofpress/securedrop (team chat)
    • [email protected]
    • Donate: https://securedrop.org/donate
    • Follow: @SecureDrop and @FreedomOfPress
    

    View Slide