$30 off During Our Annual Pro Sale. View Details »

Anonymous Whistleblowing with SecureDrop

Anonymous Whistleblowing with SecureDrop

SecureDrop talk from Mozilla Festival 2017

redshiftzero

October 29, 2017
Tweet

More Decks by redshiftzero

Other Decks in Programming

Transcript

  1. Anonymous Whistleblowing with SecureDrop
    Jennifer Helsby (@redshiftzero)
    SecureDrop Lead Developer
    Mozilla Festival 2017
    SecureDrop Release Signing Key Fingerprint:
    2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77

    View Slide

  2. What you’ll leave with
    • An understanding of the challenges journalists face keeping sources safe
    • A high-level view of the SecureDrop architecture
    • You’ll have leaked your first document
    • An understanding of how you can contribute your skills to SecureDrop if you
    wish
    • Discussion and questions

    View Slide

  3. Some of the most important stories in investigative journalism
    have come from whistleblowers.

    View Slide

  4. picture of all the presidents men
    In the past, journalists could protect their sources by simply
    not revealing their identities when asked
    Still from “All the Presidents Men”, a film adaptation of Carl Bernstein and Bob Woodward’s reporting on the Watergate break-in

    View Slide

  5. GCHQ surveillance base in Bude, UK. Image credit: Trevor Paglen
    “SecureDrop restores the effectiveness of a reporter’s privilege to protect their
    sources through principled non-cooperation—such as refusing to testify in
    court—whereas pervasive digital surveillance has made this gesture effectively
    moot over the last decade.” - Charles Berret, Tow Center for Digital Journalism Report on SecureDrop

    View Slide

  6. View Slide

  7. SecureDrop
    • No third parties: Each organization using SecureDrop operates its own
    independent instance
    • Encrypts data in transit and in rest
    • Minimizes metadata trail between sources and journalists
    • System hardening to protect against hackers
    • Free and open-source

    View Slide

  8. View Slide

  9. Current SecureDrop Team
    our Ford-Mozilla Open
    Web Fellow!
    + contributors prototyping next generation
    SecureDrop workstation

    View Slide

  10. View Slide

  11. … more at https://securedrop.org/directory

    View Slide

  12. How do sources find out about SecureDrop?

    View Slide

  13. View Slide

  14. View Slide

  15. View Slide

  16. View Slide

  17. View Slide

  18. You should download and use Tor Browser to stay anonymous
    online and provide cover for those that rely on Tor to stay safe.
    https://torproject.org

    View Slide

  19. How does SecureDrop work?

    View Slide

  20. SecureDrop server
    Source
    A source submits
    documents to an
    organization’s
    SecureDrop server

    View Slide

  21. “Source interface”: Web application running on a Tor onion
    service (*.onion) advertised by the news organization

    View Slide

  22. SecureDrop server
    Source
    They are stored
    encrypted on the
    SecureDrop server.

    View Slide

  23. SecureDrop server
    Journalist
    A journalist logs in to
    SecureDrop to look at
    recent submissions.

    View Slide

  24. “Journalist interface”: Web application running on an
    authenticated Tor onion service kept secret

    View Slide

  25. SecureDrop server
    Journalist
    She downloads the
    encrypted documents.

    View Slide

  26. SecureDrop server
    Journalist
    She downloads the
    encrypted documents.

    View Slide

  27. Journalist
    Secure Viewing Station
    She moves the encrypted
    documents to a special computer
    used for viewing SecureDrop
    submissions.

    View Slide

  28. Journalist
    Secure Viewing Station
    This air-gapped computer contains
    the decryption key for the
    documents.

    View Slide

  29. Journalist
    Secure Viewing Station
    The journalist decrypts the
    documents.

    View Slide

  30. Journalist
    Secure Viewing Station
    She reads them and can publish
    stories based on their content!

    View Slide

  31. View Slide

  32. Now it’s your turn
    1. Download Tor Browser from: https://torproject.org
    2. Go to pu7yqpfi5cn6sow7.onion and submit a document or
    message!

    View Slide

  33. How you can help

    View Slide

  34. Localization

    View Slide

  35. Help us translate SecureDrop!
    • Get started translating SecureDrop: https://weblate.securedrop.club
    • Join our community forum: https://forum.securedrop.club
    https://www.localizationlab.org/

    View Slide

  36. View Slide

  37. Internet-connected VM
    Disposable VM not
    connected to the internet
    Journalist Workstation

    View Slide

  38. Help us write code or documentation for SecureDrop!
    • Install SecureDrop: https://docs.securedrop.org/en/stable/overview.html
    • Help us develop SecureDrop:
    • Developer documentation: https://docs.securedrop.org/en/latest/development/
    getting_started.html
    • Server code and documentation: https://github.com/freedomofpress/securedrop
    • Journalist Workstation: https://github.com/freedomofpress/securedrop-
    workstation
    • Developer mailing list: [email protected]

    View Slide

  39. Thanks
    • Please come and talk to one of us after if you are interested in helping out!
    • Translation: https://weblate.securedrop.club
    • Code and documentation: https://github.com/freedomofpress/securedrop and
    https://github.com/freedomofpress/securedrop-workstation
    • Chat with us:
    • https://forum.securedrop.club (forum)
    • https://gitter.im/freedomofpress/securedrop (team chat)
    [email protected]
    • Donate: https://securedrop.org/donate
    • Follow: @SecureDrop and @FreedomOfPress

    View Slide