The SecureDrop Journalist Workstation: Handling Anonymous Submissions With Qubes OS
8:52PM Aug 1, 2020
eat properly. Drink a lot of water, exercise and take care of yourself.
We're not necessarily doctors but know how to talk so much. If you wanted to be involved with this, you could get in touch with Plan C and they would teach you how medication abortion works, how the dosing works and how to be a good source of information for people in your community and to dispel misinformation about medication. Women on waves is an organization that is dealing With the hostile abortion climate around the globe by getting abortion pills to people anywhere they are, they have done this in all kinds of ways either having boats in international waters where people could come out and therefore they would not be subject to any kind of laws. They had abortion drones that would fly overhead and drop medication down to people
and one of my favorites
Hi, welcome back. This is day eight of hope 2020 we're really happy that you're here with us when a big give a big thank you to all the attendees presenters and volunteers. And this year, hope is helping the Electronic Frontier Foundation with a fundraiser. Please visit www.hp.net to learn more, and make a donation to help us meet our goal. Our next session is with Mikhail he. He's a security engineer with freedom of the press Foundation, the lead developer of secure drop as well. He's here to present secure drop journalists workstation handling anonymous submissions with the cubes OS. Remember we have our matrix chat for questions. So we'd love to Present your questions to Miguel. And he'll be right back after his presentation. Go ahead, take it away. mackell
Hello everyone, my name is Bea cow. I'm a security engineer at Fremantle press foundation. And today I'll present the securedrop journalists workstation for handling anonymous submissions with cubes OS. Here's an overview of what we'll discuss today. First, I will present what is securedrop its current architecture and the challenges with the current journalists workflow. Then we'll present the next generation workstation architecture. I'd hope Two years ago we discussed an alpha stage prototype of this workstation. But today we'll present what's currently being piloted and use it in the field by journalists. And finally we'll discuss what's next with the project. Before we begin, I just wanted to quickly mention the US press freedom tracker. So the press freedom tracker is maintained by freedom of the press foundation and is a collaboration between three dozen organizations to documents and track Press Freedom violations across the United States. This includes this includes police brutality over the past few weeks during the Black Lives Matter protests. The website press freedom tracker.us indexes and categorizes these events. And there's also an open API that allows anyone to access this information programmatically. In the past year, there have been several journalists targeted by commercially available malware. Some great work done by researchers at Amnesty International and citizen lab have revealed that several journalists both in Morocco and the United States were targeted by Pegasus spyware, written and sold the benefit of NSO group. These stories highlight how increasingly accessible to both corporations and governments these types of attacks have become. WhatsApp was used to launch these attacks and in the lawsuit that Facebook is bringing against NSO group. They claim that over 1400 people in 20 different countries were targeted by this NSA malware. So it's more important than ever to ensure the journalist and source can Applications are adequately protected. A brief overview of what securedrop is. securedrop is an open source whistleblowing platform originally developed by Aaron Swartz, Kevin Paulson and James Dolan. It was announced in 2014 at Hope it allows whistleblowers to safely submit documents and messages to news organization. It uses the Tor anonymity network to minimize the sources metadata trail, and it is now used by over 70 major news organizations across the world. So some of the goals of the project so obviously, protecting sources and journalists are the main goals, preserving the confidentiality of the communication between the sources and the journalists, both the messages, the attachments, the journalist replies are key. We also want to make sure that journalists and their corporate infrastructure are protected from potentially malicious files. And there are also other important things to consider. First, like any security critical system The system should be as easy to use as possible. This is to avoid users circumventing any security features either by accident, user error or on purpose for convenience reasons. All software has bugs but we ensure to make sure we ensure that security is thought of in all stages of development and usage of the platform. And its default configuration. It's also important to note that Tor does not hide the fact that you are using Tor in areas where tours and widely used it may be easier for for an adversary to D anonymize you. So there's a site metrics that Tor project org that allows you to navigate and view what are the usage statistics for Tor in your area. The security and anonymity of a source can also be impacted from factors that are outside the method of communication. So for example, it could be through operational security or physical surveillance or video surveillance allows governments change but the model currently works well in North America and many others. jurisdictions due to relatively strong journalist protection, but these obviously don't apply everywhere. So it requires careful review and legal of legal considerations. So based on the goals the approach of the project is as follows. So first of all the control of the servers should firmly reside within the news organization. They own the hardware, they administer the server, and there are no third parties involved. All user traffic, whether its source or journalist traffic accrue over the Tor anonymity network to prevent a metadata trail.
The server stores the least amount of data as possible, and does not persist anything other than the encrypted messages and files. So because of this, it's impossible to gather any data to improve the service for sources. But the lack of logging analytics and telemetry is a necessary trade off to ensure the privacy and maintain the anonymity of sources All data is encrypted in transit using Tor onion services. And there's also an option of using HTTPS as well for a second layer of encryption. All messages and files are encrypted at rest. In order to Protect Journalists, it's important for us to ensure that they open documents safely. And so we provide comprehensive documentation on journalists or for journalists on how to open submissions, process documents and how to safely use the system using an air gapped computer. Here we'll discuss the current state of securedrop. So a typical securedrop deployment consists of two servers, one firewall and two workstations. The first server is the application server. This hosts the source and journalist interfaces, which are two Python web applications that are exposed over Tor onion services. The second server is the monitoring server. It uses the host intrusion detection system osek and sends alert to administrators when unusual activity is detected on the applications server. The network firewall is a dedicated firewall, we recommend the use of dedicated pf sense device to segment the to secure job servers from the rest of the news organizations network. This ensures that the servers are not reachable from the corporate network but also that securedrop servers cannot reach into the corporate network as well. submissions are stored in the application server and they are encrypted to the instances public key. So here's what a source does to submit a filer message. So when a source wants to submit a follow up message through securedrop, they will first go to a news organizations source interface in the Tor browser, and they will submit files or messages to that interface. They will also be able to return later should a journalist and reply or they want to view replies or send additional messages or additional FOSS. So in order to view a submission a journalist needs to use tradition. workstations. Both of these workstations use a tailor operating system which is a Linux distribution that fits on a USB drive and the restricts all communication over Tor. The first workstation is that internet connected journalist workstation. First, the journalist needs to boot up and log into this journalist workstation. Once they're logged in, the journalists will then connect to the journalist interface of the secure job server, login to the server using their credentials, and then retrieve encrypted submissions from the journalists interface. So the user will download all documents and messages they wish to view. Then the journalist will copy these encrypted files to an encrypted transfer device, which is a full disk encrypted USB drive generally. Then the journalist will shuttle this drive to their second tells workstation. This is the secure viewing station. The Secure viewing station is an air gapped tale workstation that has the private key used to decrypt submission and it is Never connected to the internet. After connecting the transfer device and unlocking the drive, the journalists will copy the submission to the secure viewing station and then wipe the transfer device. So using the same secure viewing station, the journalist will decrypt the files that were just transferred, and will open these submissions using the same computer to view the submissions. From this point on, the journalist can export files for further processing, either using an export device or a printer and then write their story. secure job source and journalists web applications are fully translated in 21 languages with several other languages being partially translated. If you'd want to add a language other than the ones that are listed here. Or if you would like to contribute to the translations, please go to securedrop.org slash translate. And these are some of the 70 news organizations that are using securedrop now. Well, historically secure job has been used by news organizations. We're also seeing other uses Have it as well. So in this case US Senator Ron Wyden recommends evaluating the use of anonymity tools like such as Tor and securedrop. To protect the identity of whistleblowers. Last year at DEF CON, the Department of Homeland Security announced that their cybersecurity and infrastructure agency would you secure job to receive anonymous tips on security bugs for federal infrastructure? Here are some recent improvements that we've made to the server components. We'll see a bit later that some of our efforts will also focus on the journalist experience.
So we've updated securedrop to use v3 onion services by default for new installs. Existing installs can opt into using v3 onion services, which will significantly improve the cryptographic algorithm used by these onion services. This means that by default, URLs will be 54 characters long instead of the 16 for v2 onion services. We plan on deprecating these v2 audience services In February of next year so in Tor Browser 9.5, the Tor Browser introduced onion names which allowed to set short names for onion service URLs. So in this case here, when a user will type Lucy Parsons lab dot secure job Tor dot onion, it will automatically redirect to Lucy Parsons labs securedrop source interface. This is achieved through a secure job specific HTTPS Everywhere rule set. And it will be especially useful in cases where there are v3 onion URLs that are 54 characters. So we discussed the submission flow earlier though, let's focus a little bit more on the journalists tasks when a journalist needs to decrypt into submission. So as we said previously, the user will boot up their journalists workstation and tails connect to the journalists interface, download the submissions they want to decrypt, copy the file To transfer device shuttle this transfer device to the secure viewing station, copy the files, wipe the drive, then decrypt and view the submissions. So in its current state secure job allows to minimize the metadata between sources and journalists because all traffic is routed through Tor and that the server stores as little as possible. It reduces the metadata trail because securedrop is hosted within a news organization and it is within the control of a news organization ization. There are no third parties to subpoena. there are gaps secure viewing station means that should the viewing station is compromised and attacker would still need to jump the air gap to exfiltrate the data. So some of the downsides, some of the challenges there are some challenges to the current methods. So the process to download, decrypt and view the submissions contains many manual steps. This not only takes time to explain but it also takes time for journalists and it alls. It is also project where the encrypted USB drive to transfer files from one journalist from the journalists workstation to the air gapped viewing station introduces risks of malware and data exfiltration, especially if the drive is not sanitized every time. So tells us is updated on a six week cycle and it requires the user to manually download these updates over Tor and then reboot the workstation to apply these updates. So these are manual processes that are not mandatory, these are not enforceable. And there's also the additional challenge of updating the secure viewing station which does not have network access. So note that in this case, we're referring to the journalist workstations and not the server component the servers are upgraded nightly. Finally, all submissions are decrypted and viewed on the same air gapped computer even though tails has some Security hardening that makes it difficult or harder for malware to persist across several sessions. It is still sub optimal to store potentially malicious or to open potentially malicious submissions on the same system, which is storing the sensitive data such as the private key. So a couple years ago, we decided to research a new way to handle the submission for journalists using a single computer and using virtual machines, replacing the current two factor as to laptop air gap setup using tails. The goal is to eventually provide journalists with the flexibility of using the integrated workstation to receive process redact unpublished submissions, we decided to use the cubes OS project as the base cubes has some very interesting properties and some very interesting tooling that allowed us to build an integrated workstation where journalists can safely open submissions while at the same time also having network connectivity So QO S is a free and open source single user desktop distribution, which is maintained by the cubes OS project. It uses Zen for virtualization and provides many useful features that we will build upon. So a template system to manage base operating system templates, a concept of disposable VMs that will allow you to create VMs that are destroyed after use after they're shut down an inter VM communication mechanism to allow communication between VMs a Python API and a salt management stack in order to provision VMs and to manage VMs on the workstation.
So here's how it works. It works at a high level. It first starts with the hardware, the laptop or desktop that you use to run the operating system. On top, there's the hypervisor that provides the base and the support for virtual machines to be run. Then there's dumb zero which is a special administrator. VM. This is this VM has full control over any other VM, as well as the hypervisor itself. It is the VM that controls and orchestrates everything that happens on your workstation. Then there are template VMs template VMs contain all system and application specific data. templates can then be used as base for other VMs, which can contain application specific data. So all applications or base operating systems and packages are all packaged in this template via cubes ships by default with both Debian and Fedora templates, which can be customized or cloned by end users. There are then several types of VMs that can be created based on these template VMs. There are app VMs, where only changes to certain folders are persisted across reboots. So for example, in app VMs it would only be the users local directories so like slash home slash user, for example, that will be persisted in another channel. changes will not persist across reboots. So for example, if you install a package in an app VM, it will not persist, reboot. But after reboot, it'll just pick up whatever is in the template VM on which this app VM is based. Then there are disposable VMs. In the case of disposable VMs. Upon shut down, everything is destroyed, including user's home directory or user data. cubes also has a concept of a vault via vault VMs or app VMs that do not have network connectivity. This is useful for apps for VMs that source secrets or sensitive information. Then finally, there are system VMs that are provided by cubes, which handle potentially risky system activity. So there's sis net which handles the network stack to guard against network level attacks. Then there sis firewall which provides firewall rules for the system. So by default, VMs cannot communicate with each other over the local host network. But one Modify roles in this sis firewall VM to allow two VMs to communicate with each other over this local network over this local host network. Finally, sis USB handles the USB controllers themselves. To connect the USB device to a specific VM, a user will need to explicitly connect through a built in utility. This specific device to the target VM they want to connect the USB device to. cubes also has implemented a custom protocol to communicate between VMs so qR exact which is based on Zen v Chan mechanism allows VMs to communicate between each other using shared memory and an event channel. The original v chat implementation was also written by the cube team and it was back ported into Zen cubes through qR exec also allows the ability to transfer or open files so pure exact has some has some scripts that run in these VM in VMs that allow transferring or opening of files across VMs. There's also more specific functionality that is exposed like for example, a GPG, where a GPG clients that is in the VM will expose, decrypt sign, verify
And have that happen over the cure exact protocol, similar to how it would work in in an HSM or using or using a yubikey. It will not allow extraction of the private key. Developers can also build or use existing protocols on top of pure exec to communicate between VMs and with all these pure exec, inter VM communications cubes are offers RPC policies to allow or restrict these inter VM communications between VMs on a VM per VM basis. So it's fairly granular to allow or deny access to a given to a given VM. So using QoS How can we improve the journalist experience? So as far as the workstation itself is concerned, the journalists workstation we want to preserve the anonymity and confidentiality of sources. That's definitely the most important. But then one thing we want to make sure also is to improve the usability. And by improving the usability, the primary objective to do that, or the primary way to do that is to reduce complexity. By reducing the amount of time journalists will spend on using the system, and by also minimizing the risks of user errors. This will make sure that users will more reliably and more often check for messages or submissions and more frequently communicate with sources.
So how can we achieve these goals
so first to Protect Journalists Want to make sure that known vulnerabilities are patched that the system is always up to date and is always patched against the latest known vulnerabilities. We also want to isolate the submission key from potentially malicious documents. And we want to isolate documents from each sources. So you don't want to open the same file from source a in the same VM as we want to open the file from source B. We also want to make sure that we can recover from an attacker getting code execution once the user or once there is a submission that is potentially malicious. And we want to provide defense in depth against unknown vulnerabilities as well. And finally, we want to include or we want to use rather well established and proven technologies to make sure that this project and the solution is maintainable. Then for usability, we obviously want to make sure that the system is usable by journalists. And so obviously what is usable by technologists Or a technical administrator is not necessarily what is usable by journalists. So through user research, we're we make sure that the goal of this to make these technologies as accessible as possible to as many journalists as we can. We also want to make sure that we reduce the administrative burden, specifically updating. But we also want to make sure that the IT staff and a news organization could provision new workstations for employees and journalists. And finally, in order to make it usable, we want to also make sure that we automate some of the high risk processes and abstract these from the user. So the current architecture with the two workstation the journalist workstation, the secure viewing station, will be replaced by one integrated cubes workstation, allowing the user to download view and export submissions on a single workstation on a single laptop. Let's follow how a submission gets done. In this new cubes base workstation. So first the system VMs that are provided by cubes have network connectivity. Then there's a tour process that runs in its dedicated VM. This will allow the workstation to communicate with the journalists interface. Then there are two VMs. There's a proxy VM and a user gooey VM. So the GUI VM in yellow provides a chat like functionality and runs in a non network default VM. It will communicate to Tor and then to the journalist's interface using the proxy VM. And the proxy VM restricts access exclusively to the journalist interface API. The communication between the GUI application and the proxy VM is handled through a custom qR exec service as to not expose the entire network to the GUI application VM. Once the submissions are downloaded by the journalists interface, they need to buy the journalists, the journalists They then need to be decrypted. So the user GUI application does not have access to the private key, it will need to communicate to the secure exec to request decryption of a file or message to another vault VM. This vault VM has the private key, and that vault VM will perform the decryption of the file of the message. Then, finally, opening files once the files are decrypted, it'll be sent to a network list disposable VM that will open and display the submission. Once the user closes the file, the VM will be destroyed and no additional data will be persisted. These viewer VMs are hardened Debian based VMs and they have gr security patch kernels mitigating a wide range of memory corruption vulnerabilities. So this is how it will look like from the point or this is how it looks like from the point of view of a journalist. prior to using the client, the journalist is prompted with an update panel. This will ensure that all VMs are updated. Zen or VMs are updated prior to launching the application. Once the VMs are updated, the journalist then logs into the client using their journalists interface credentials, the same credentials that we were using for the web interface. And then the user will be able to view all sources, all messages and all attachments. So the messages and the sources as well as the replies are all displayed in a chat like interface. When a user will click on a file, each document or attachment will be open in a dedicated network less disposable VM. So as you can see in this screenshot, the window with the yellow is the client and the window with the green chrome are the ones that are handling submitted documents. In this case, both documents are open in separate virtual machines, even though the Chrome is the same.
Now the journalists can also easily reply to a source so remember in the past with a tails workflow The Secure viewing station was not internet connected. So if the journalist wanted to return to another tales workstation, in order to reply to us, we'd have to use the journalists workstation to reply. So they had to go back and forth between. But now with this new GUI, they could just, they could just reply in the textbox. So behind the scenes, there's a lot of user will not see that there's a lot that a user will not see. So other than the VM that is running the client application. There's, as we discussed previously, the cube system VMs, the tour VM, the proxy VM to handle the network traffic, as well as the vault VM that handles the submission private key. But there's also another VM to handle device attachments such as USB drives or printers. There's the disposable VMs where all the files are open. And finally there's a log VM that will aggregate logs from all VMs in a single place. So the technical goals were mostly achieved by reducing attack surface and providing defense in depth. So, to ensure known vulnerabilities were patched we auto updated all VMs on boot prior to launching the client or the GUI application. In order to isolate the submission key from publisher potentially malicious documents, we isolated the key and its own network list VM and use the QR exec and the cubes functionality to broker that traffic and ensure that the RPC policies are restricted. To isolate each sources documents, we open each each and every document in its own disposable network less VM any changes that VM will be destroyed on shutdown. In order to recover from an attacker getting code execution in the VM. We use viewer VMs that are network lists and are disposable that are destroyed after shutdown and part part of The reason we went into this project was also to increase the cost of a successful attack using defense in depth. So we use kernel hardening to complicate exploitation of memory corruption vulnerabilities. We use disposable VMs to make sure that exploit persistence is difficult. So as a result, an attacker will need to find multiple security vulnerabilities, they'll need to obtain code execution within the disposable VM, they'll need to manage to bypass the mitigations that are provided by gr security, and then they'll need to be able to find an applicable Zen breakout, to escalate their privilege privileges outside of this virtual machine. So in late 2018, the open technology funds sponsored an audit of the alpha version of a secret job find the secure job proposition. A no findings medium or above were uncovered during that audit. Currently, the securedrop workstation has been in limited pilot with two news organizations since April of 2020. The goal is to get feedback from these news organizations and to validate the functionality before we expand the pilot to more news organizations. So so far, the reception has been quite positive both in time gains for journalists and administrators. The time on task for reviewing submissions and replying to sources has been greatly improved. And since the updates are handled by end users on Buddha reduces some administrative burden to update details. Dr. So right now we are researching next steps for the submission processing pipeline within the workstation, specifically metadata removal, sanitizing or redacting files. So in the past couple of years, there have been some new tools that were released, like first look media's Danger Zone. So these are usually extra steps that journalists will do prior to getting them out of there. Secure environments before sending them to other other machines or before publishing them. And so these are these are sort of topics that we are looking to integrate as well as automate. So if anyone here has suggestions or any experience with either of the tools or any recommended processes or frameworks to use, or if you'd like to help, please get in touch with us. Next, we're also looking into supporting other templates, like for example signal and provide the ability to open attachments using disposable VMs. We're also looking into research VM so to allow journalists safely perform research research on the workstation. So for example, a dedicated VM that will run Tor Browser.
Finally, while the secure job server components are internationalized, the client is not. So we're looking into supporting more languages and internationally internationalizing the client as we roll out support to more more news organizations. So several employees of freedom of the press foundation maintain the secure job project. And freedom in the press also offers services to news organizations like training and consulting services. Also secure job receives many contributions from the open source community, whether it's in code or in translations documentation. So secure job and secure job workstation are both free and open source projects. They're hosted on GitHub where you can find the issue tracker, and you're free to comment or post or create new issues. We also have a getter room that we use for discussing development. And there are many areas where anyone can contribute, whether it's translations, documentation, design or code. Another way to help is to donate to freedom of the press foundation or other projects such as torque cubes and tails, which are all very important projects to present to protect sources and journalists. Thank you.
Thanks, Mikhail. That was an excellent discussion about securedrop. Thank you very much for helping protect our first amendment rights. It was amazing. We're taking questions right now on matrix and thank you again, sir. Okay, so our first question is given that nation state actors are part of the threat model for journalists, how do you approach mitigating issues like hardware based backdoors, such as Intel, ie, possibly unsafe hardware with implants like tech, or malware in the initial installation of cube OS via potentially bad USB?
Go? So those are those are excellent questions. So in general, when we when we design the system and we design the security decisions around this system, we evaluate sort of every single threat as well as their likelihood generally In the case of hardware based backdoors, I think that unfortunately, this is a problem that is largely unsolved, given complexities around supply chain supply chain management, as well as sort of hardware provisioning in general, it is very difficult right now for anyone to procure themselves a laptop or a computer that has fully open and fully free firmware, BIOS and other other of these and a lot of a lot of the newer Intel processors AMD processors, but also hard drives and other types of controllers have firmware that is that is closed and that cannot be inspected. So this is obviously a larger a larger problem in the industry generally, I think that as far as the likelihood of hardware backdoors it's important to for users to pay attention to the supply chain and how they procure hardware. So unfortunately, That is that is a solution that is not answered. And as far as the initial installation of cubes, cubes OS via potentially bad USB, all the ISOs that the cubes project hosts have checksums and are signed with their release key. And so we can attest to the authenticity and the integrity of that BIOS image. As far as the USB device itself, it's a question of, again, supply chain. And there there are sort of issues which are beyond something beyond people's control. So perhaps purchasing items, retail, not getting them shipped directly to your house or to your place of work might be a good way to prevent interdiction. There are other methods and it's generally around
having a variety and around the supply chain and the acquisition of hardware.
Very good points. Yes. And I think that's a great idea to just go Retail so I have a better chance. Okay, and the next question is, I'm concerned about the USB device, it seems this opens and attack vector, can you talk about the choice of USB versus right only media such as a CD or DVD optical disk?
So, I assume that in this case, the person asking the question is referring to the USB export within within the cubes security workstation itself. This is something we discussed. So, so as far as the USB device itself, it is connected directly to a VM that has hardware based virtualization and so the device itself is connected in this isolated VM upon shutdown, any modifications to that VM will be discarded because it is a disposable VM. So yes, it there is it is definitely a potential vector. However, it is possibly unlikely it is possible, the likelihood the likelihood of an attacker maintaining or obtaining persistence is is somewhat is somewhat low. In this case, as far as write only media CD DVD, I think that is that is likely a safer solution to prevent to prevent these kinds of attack vectors. One thing to keep in mind obviously, is that the CD drive itself if it's a USB drive also may have maybe an attack vector. And the other disadvantage is
that the files on
the CD drive needs to be need to be encrypted. So, we would need to sort of encrypt those and then you know, physically destroying CDs and then overall it is it is a pretty cumbersome process. Because nowadays not a lot of laptops or not a lot of hardware has have USB drives, but that is definitely something to consider. And this is something that that possible in details, the old tales approach I see
ever been the use of the micro SD in your work because it's so tiny and can be hidden anywhere? You know?
I think that it is definitely I mean it it is very possible that it is being used so when you connect on micro USB through a USB re yeah it sorry micro USB or micro SD I'm sorry.
Well, I'm just because they're available now in 512 gigabytes and I throw my phone is just incredible how much capacity and Yeah, I guess so. So of course
it could be used. It would be exploded just like a USB mass storage device or it could be used in lieu of any USB drive. Yeah. Okay,
let's go on to the next question. For the file opener VM. First, can you Display essentially any file type. And second, what are the options for download or print or email forwarding those documents? Probably you can skip the earlier question about USB out. Okay, let's go through this question. File opener VM. Can you display any file type? Sure. So for the
file opener VM, we did a survey, basically trying to figure out what trying to assume what what files, journalists would want to open. So we have a wide range of applications. And so on that VM, it's obviously not complete. But one of the advantages of having an internet connected workstation is that it provides the ability to install new software on these VMs. And so if there's a file that cannot be opened, well, we can very easily address that and install the software inside the template VM. So any anything that is openable in a normal Debian distribution, we would be able to open that as well. I believe the follow up was about downloading and printing. So for this correct for downloading and or exporting, so for downloading the files, all files are supported for downloading. I assume that also then the next step would be the export. And so for the export There is also no restrictions on the file type. And as for printing, the sort of state of Linux drivers for printers is a little complicated. And so there are obviously some files that work some files that don't
general, any any like Word document PDF file, or in any picture, any image or something like that could easily and can be printed, using using the system. Yeah.
for good. So our next question is how do you know how difficult or how do how how difficult for organizations is it to set up security properly, have you found that larger or smaller organizations have an easier time? That's a good
question. I think it I think it depends. So they're sort of challenges in both small and large organizations. So as a project securedrop has a comprehensive documentation for administrators and journalists that provide guidance on how to install the system properly. Once it's installed, the maintenance is sort of fairly minimal and anyone with some some Linux experience or some basic system, system administration skills would be able to administer it without a problem. With regards to the smaller or larger organization, it really depends on the level of, of the technical abilities of the staff. I think that in larger organizations sometimes that there are sort of policies and they have certain ways of deploying systems for redundancy and criteria around or sort of specific requirement. For production readiness within a large enterprise, and sometimes that can that can be a little bit, it can be a little, there could be a little few differences there, given that part of the purpose and motivation of securedrop is to run it as a separate or separately from the entire the rest of the entire infrastructure. And so smaller organizations may be more agile and may have an easier time sort of deploying the system. But I think that it's really a case by case basis. I think that both small and large organizations have had fairly good success in setting this up properly.
Alright, got it. Thank you. We have another question for you here. Do you have success stories of when an important story came in Via securedrop but would not have been submitted using more traditional means?
So that's a
good question. So as a matter as a matter of policy, We don't discuss whatever stories came out of securedrop for the protection of the sources.
as has any has any success stories Canada secure job? I mean, it's hard to say, given some of the administrative requirements and the amount of news organizations that are still currently maintaining a secure job server, our guess is that there are probably some interesting and important stories that came out of securedrop. But as a matter of policy, we don't discuss this. And also we very actively discourage news organizations from discussing any stories that may or may not have been submitted through secret. Oh,
that sounds like a good point. No security through obscurity, as they say. So our next question is someone already has already mentioned wrapped Tor systems. Have you done any consideration of power nine, risk five or non at six in general?
that's that's a good question. So it seems like in the industry right now, the x86 platform which is sort of dominated by Intel, and AMD is having all these issues we mentioned before around around non free firmware. Whereas there are other platforms like Raptor systems that I believe it's on power nine, power nine architecture, which which has free and open source BIOS. And so in the case of the secure job servers themselves, we right now use gr security patches for kernels and so those are not are not available on those platforms. And as far as the workstation itself is concerned, currently, Zen only supports x86 architecture. I think that there is a ticket in the either in the cubes projects, which issue tracker or Zen project itself to migrate or to offer. For support on power nine, but I think that it will it sounds like a very complex project. And I believe that right now there's there's no immediate plans to move to that platform. So unfortunately, right now we are these platforms may not be
ready to be used by securedrop right now.
Right, that was a very good question. I agree. And we've got another one too for you. activists and journalists are obviously in need of this. But what about corporate whistleblowers? How do you reach out to them? Or make them aware of this that this exists?
It's also a good question. I
think that part of the challenge with with the situation of corporate whistleblowing is that oftentimes, if you're in a large enough Corporation, your device is actively managed by the Corporation itself. And so a potential source should be should sort of be aware that whatever communication or whatever site they browse may be visible by their employer.
have been some news organizations that have done some outreach, specifically around whistleblowing within tech companies. And and I think that that that outreach has has sort of worked worked very well, I believe. And so, you know, I think that we could definitely be doing more awareness or more outreach in that, but but I think that that might be also dependent on the news organizations themselves as they're the one who, who solicits stories, and they, they would they would ask or work on the right, thank you. We have a few minutes left somewhere to go on to the next question. Can you give us an overview of attacks that you've seen against securedrop or its components
sure. So, one that we have observed in the past which was, which was the work of a security researcher, not not a malicious actor, someone raising awareness was they basically submitted to the securedrop source interface, a desktop file, and this desktop file was able to interpret I believe it was Python code that would present the journalists that would decrypt the file with a QR code. And then the journalists would scan the QR code and and it would open sort of a URL that would perhaps leak information to to a given web server. So that was that was a proof of concept that was that was presented presented to us and so that was, that was a very good example. That was maybe three years ago approximately and since then, there were some changes. In good gnome and entails where desktop files did not execute by default, and there was a prompt and require the user to sort of change a bit to be able to execute that code. So that's that's an example. Yeah.
Well, that's excellent. That was addressed. Very Nice job. All right, we are really running down to the wire. Our next question is, are there design choices you've made that you might make differently today? And he plans for big changes in the future?
there any design choices that we would make differently today? Not
Not that I can think of I think that part of the part of the strength in my view of the project is that we use a lot of boring technology. But the advantage of boring technology is that it has known properties. And so there are some advantages to you know, all these newer, newer technologies. I'm consistently making design changes to catch up to Some of the newer technologies, but having boring and stable technologies is also a known quantity. So I think from that point of view, that's, that's a good, good thing and as far as big changes for the future. So right now we're focused on this journalist workstation, I think in the future. Our immediate plans are to support on this workstation more more tip lines, as I said in the presentation, and better support for journalists, post processing tasks, like sensitization and data removal. And so all these sorts of tasks and all these features take a lot of time to implement and to implement, right. So that is the that is mostly the biggest change for the right medium future. Okay, and
we'll try to squeeze one last question in in 30 seconds or less. Is there any current plans support for having trusted sources request an even more secure drop than normal? You know, even if it requires More setup. So I think
that at this point, we strike a balance between the complexity of operation from the perspective of the source. And, and security. I think that as far as a source is concerned, if a source, a source can manually encrypt their files, and they could use securedrop as like the first contact with the news org, and then perhaps develop other types of methodologies for communicating files or communicating with the journalists, that's an option. But right now, I think it strikes a pretty good balance. And it is fairly proven technology at this point.
Well, that was a great discussion on behalf of all the whole 2020 attendees, presenters and volunteers. Thank you, Mikhail for sharing your presentation with us today. Thank you very much.
Nice to be here.
All right at the top of the hour, we'll have our next Talk fake fake faces with Chris Landreth coming right up some fresh bumps, fresh tracks. Take it away Ground Control.
Your name goes to like 17 computers today. 1984 right man, it's a typo here and
now he's living large we have no names
man, no names. We are nameless. This is a marketing, Holocaust 24 hours a day for the rest of our lives, the powers that be
So, to defend ourselves, and fight against assimilating this dullness into our Find methods to learn to
defend, preserve and believe
they did not want you to get this information. So here it is coming at you low