Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Anonymous Whistleblowing with SecureDrop

Anonymous Whistleblowing with SecureDrop

SecureDrop talk from Mozilla Festival 2017



October 29, 2017


  1. Anonymous Whistleblowing with SecureDrop Jennifer Helsby (@redshiftzero) SecureDrop Lead Developer

    Mozilla Festival 2017 SecureDrop Release Signing Key Fingerprint: 2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77
  2. What you’ll leave with • An understanding of the challenges

    journalists face keeping sources safe • A high-level view of the SecureDrop architecture • You’ll have leaked your first document • An understanding of how you can contribute your skills to SecureDrop if you wish • Discussion and questions
  3. Some of the most important stories in investigative journalism have

    come from whistleblowers.
  4. picture of all the presidents men In the past, journalists

    could protect their sources by simply not revealing their identities when asked Still from “All the Presidents Men”, a film adaptation of Carl Bernstein and Bob Woodward’s reporting on the Watergate break-in
  5. GCHQ surveillance base in Bude, UK. Image credit: Trevor Paglen

    “SecureDrop restores the effectiveness of a reporter’s privilege to protect their sources through principled non-cooperation—such as refusing to testify in court—whereas pervasive digital surveillance has made this gesture effectively moot over the last decade.” - Charles Berret, Tow Center for Digital Journalism Report on SecureDrop
  6. None
  7. SecureDrop • No third parties: Each organization using SecureDrop operates

    its own independent instance • Encrypts data in transit and in rest • Minimizes metadata trail between sources and journalists • System hardening to protect against hackers • Free and open-source
  8. None
  9. Current SecureDrop Team our Ford-Mozilla Open Web Fellow! + contributors

    prototyping next generation SecureDrop workstation
  10. None
  11. … more at https://securedrop.org/directory

  12. How do sources find out about SecureDrop?

  13. None
  14. None
  15. None
  16. None
  17. None
  18. You should download and use Tor Browser to stay anonymous

    online and provide cover for those that rely on Tor to stay safe. https://torproject.org
  19. How does SecureDrop work?

  20. SecureDrop server Source A source submits documents to an organization’s

    SecureDrop server
  21. “Source interface”: Web application running on a Tor onion service

    (*.onion) advertised by the news organization
  22. SecureDrop server Source They are stored encrypted on the SecureDrop

  23. SecureDrop server Journalist A journalist logs in to SecureDrop to

    look at recent submissions.
  24. “Journalist interface”: Web application running on an authenticated Tor onion

    service kept secret
  25. SecureDrop server Journalist She downloads the encrypted documents.

  26. SecureDrop server Journalist She downloads the encrypted documents.

  27. Journalist Secure Viewing Station She moves the encrypted documents to

    a special computer used for viewing SecureDrop submissions.
  28. Journalist Secure Viewing Station This air-gapped computer contains the decryption

    key for the documents.
  29. Journalist Secure Viewing Station The journalist decrypts the documents.

  30. Journalist Secure Viewing Station She reads them and can publish

    stories based on their content!
  31. None
  32. Now it’s your turn 1. Download Tor Browser from: https://torproject.org

    2. Go to pu7yqpfi5cn6sow7.onion and submit a document or message!
  33. How you can help

  34. Localization

  35. Help us translate SecureDrop! • Get started translating SecureDrop: https://weblate.securedrop.club

    • Join our community forum: https://forum.securedrop.club https://www.localizationlab.org/
  36. None
  37. Internet-connected VM Disposable VM not connected to the internet Journalist

  38. Help us write code or documentation for SecureDrop! • Install

    SecureDrop: https://docs.securedrop.org/en/stable/overview.html • Help us develop SecureDrop: • Developer documentation: https://docs.securedrop.org/en/latest/development/ getting_started.html • Server code and documentation: https://github.com/freedomofpress/securedrop • Journalist Workstation: https://github.com/freedomofpress/securedrop- workstation • Developer mailing list: securedrop-dev@lists.riseup.net
  39. Thanks • Please come and talk to one of us

    after if you are interested in helping out! • Translation: https://weblate.securedrop.club • Code and documentation: https://github.com/freedomofpress/securedrop and https://github.com/freedomofpress/securedrop-workstation • Chat with us: • https://forum.securedrop.club (forum) • https://gitter.im/freedomofpress/securedrop (team chat) • securedrop@freedom.press • Donate: https://securedrop.org/donate • Follow: @SecureDrop and @FreedomOfPress