Schneier on Security
A blog covering security and security technology.
« iPhone Sensor Surveillance |
| "A Court Order Is an Insider Attack" »
October 17, 2013
SecureDrop is an open-source whistleblower support system, originally written by Aaron Swartz and now run by the Freedom of the Press Foundation. The first instance of this system was named StrongBox and is being run by The New Yorker. To further add to the naming confusion, Aaron Swartz called the system DeadDrop when he wrote the code.
I participated in a detailed security audit of the StrongBox implementation, along with some great researchers from the University of Washington and Jake Applebaum. The problems we found were largely procedural, and things that the Freedom of the Press Foundation are working to fix.
Freedom of the Press Foundation is not running any instances of SecureDrop. It has about a half dozen major news organization lined up, and will be helping them install their own starting the first week of November. So hopefully any would-be whistleblowers will soon have their choice of news organizations to securely communicate with.
Strong technical whistleblower protection is essential, especially given President Obama's war on whistleblowers. I hope this system is broadly implemented and extensively used.
Posted on October 17, 2013 at 7:15 AM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I've been looking forward to this for sometime and I hope the system is correctly implemented by those newspapers.
Privacybox.de used to run a similar service then politics of whoever runs the German Privacy Foundation led to it's closure. I haven't checked out SecureDrop hopefully it also utilizes PFS to prevent a journalist being arrested and everything decrypted.
In other news Adi Shamir won't be attending the history of cryptology conference for suspicious reasons. US purposely delayed his visa and dumped his paper.
Isn't it ironic how Obama had a different view just before the election?
"whistleblower protections" paragraph from the Obama Website:
"Often the best source of information about waste, fraud, and abuse in government is an existing government employee committed to public integrity and willing to speak out. Such acts of courage and patriotism, which can sometimes save lives and often save taxpayer dollars, should be encouraged rather than stifled. We need to empower federal employees as watchdogs of wrongdoing and partners in performance. Barack Obama will strengthen whistleblower laws to protect federal workers who expose waste, fraud, and abuse of authority in government. Obama will ensure that federal agencies expedite the process for reviewing whistleblower claims and whistleblowers have full access to courts and due process."
Excellent! Very glad to learn more details, just read about SecureDrop a few days ago.
@ Paolo, Gosh I just despair when I read what Obama said he'd do to enable whistleblowing and compare that to what he's done. There is no limit to the lies politicians are willing to tell in order to get power.
These days I don't see any way back from the control by a lying political elite and the collaborators. Even worse, hardly anyone registers that we're dominated by a global surveillance apparatus, and even fewer care. What a bleak future.
It is interesting to note that the Obama quote has now been removed from the internet, just to tidy up history and make it match the current reality one presumes.
We'd like to have a similar "big audit" also on GlobaLeaks Project where we also received 3 independent technical penetration test!
The main difference between SecureDrop and GlobaLeaks are:
* SecureDrop focus mostly on security
* Globaleaks focus also on usability, easy of deployment, maintenance and flexibility of use (and setup of an ecosystem of software based on submission APIs)
From the software engineering point of view i think that GlobaLeaks is more advanced, while from the architectural point of view SecureDrop is more secure.
It would be nice to see the two projects get together to share the goals of the two :-)
Hermes Center for Transparency and Digital Human Rights
Having a big audit would be great, but it still leaves open bad implementation by the individual news agencies that provide the service. Like the big audit of TrueCrypt, it's great, but every future version will still need to be audited because every future version can have changes. Changes could still be made after the audit as is the case with any software, open or not. Yes, I'm that paranoid. Or please let me know if I'm missing something because I'm here to learn.
The nickname is going to identify you to the N S A on your jailbroken endpoint. I thought you never should send anything twice?
Avi Shamir couldn't attend an NSA sponsored crypto conference because he couldn't get a US visa.
"I have been to the US close to a hundred times so far (including some multi-year visits), and had never overstayed my visas. In addition, the number of terrorists among the members of the US National Academy of Science is rather small."
Careful, using irony or sarcasm to the US government can be a security issue!
I applaud this work, although I think its the wrong initial priority: The first priority should be for every press institution (and criminal attorney for that matter) to insource their email.
The reason why email subpoenas are so attractive in leak hunts (and expect to see them on state & local level leak hunts in the future) is they are silent whenever the press agency uses outsourced email, yet if the press or law firm uses their own email servers, the subpoenas get noticed immediately and there is a chance to fight the subpoenas in court.
Supporting insourced email should be no more difficult than supporting an internal SecureDrop install, especially if there is technical assistance in building a nice, simple to install package, but will provide far more benefit for far more people.
It should be considered a massive violation of journalistic and legal ethics to utilize an outsourced email provider.
It's not Obama...
I wonder why Obama is taking so much heat for this. My understanding of Washington and American power structures is that someone else is coercing Obama to keep certain policies he intended to change. (NSA & Pentagon, perhaps?) The President doesn't control the country: he's just a cog in a machine which is only partly visible to the public. These programs and activities will continue if the real power in Washington wants them to.
We did have a President once who opposed secret societies, the Federal Reserve, and covert ops against American people. He even began the process of printing an alternative currency so he could dismantle the Fed eventually. He threatened the real power. So the real power removed his head from his body via lead traveling at high velocity. His name was John Fitzgerald Kennedy.
And the opponents of the people have vastly more power than they did then.
Bonus Case Study: Wikileaks
I often say the international bankers own the country, esp seeing the Fed Reserve is privately owned corporation. Many politicians have said so over the years. The no-questions-asked-with-criminal-immunity bailout of Goldman Sachs to tune of $1 tril. is also evidence that they have insane levels of influence. Why am I bringing this tangent up? Oh, it's no tangent. Let me explain the vital importance of understanding who has real power before taking action.
Remember that Wikileaks was the first SecureDrop in practice. They were a thorn in the government's side. They embarrassed big corporations, the military, intelligence agencies, state department, foreign countries... you name it. Pentagon, LEO's, etc failed to stop them. Then Wikileaks targeted one of the country's financial owners: Bank of America. The result was that the largest financial processors cut Wikileaks off from financial contributions. With no money, it withered and died.
You mess with Real Power, you get treated like Wikileaks. Just the four main financial institutions behind the Fed could instantly cause a great depression (that they would survive) if they chose. Military-industrial complex has its own... "problem solving methods." Obama can't stop these people. At all. Diverting the freight train that is the current system from its path will take majority of America standing behind Congress w/ National Guard ready just in case, with everyone willing to endure financial ruin if system collapses.
People won't do that. The Owners know that. That's why things are getting worse in obvious ways. They won the war on freedom 12 years ago. Now, they're just mopping up while putting faith in people being too uninformed/weak to revolt against their power. As before, I won't hold my breath although I'll continue to push tools and designs to help them when they do.
@Nick P - in the UK we have the WI who secretly control things behind the scenes
Who? Google's just giving me Women's Institutes lol.
But the NSA can still trace back connections to StrongBox et al. to the devices which connect. No?
So whistleblowers still need to make sure their device cannot be traced back to a person ...
More meshnets could help too.
"Let them eat static." - Khan
@wp it's also easier to just go to an internet cafe or wifi in Starbucks and connect to their web page than to maintain a completely safe email address.
The idea is to help both hosts who aren't as technically literate and whistle blowers who don't have the field craft
But the NSA can still trace back connections to StrongBox et al. to the devices which connect
A little wardriving through a neighborhood will come up with open access points. There's a few around me that are completely open. When I first powered on my Nexus 7 tablet, it automatically connected to an open WiFi and downloaded updates before I could actually use the device and integrate it into my WiFi.
What we people need is open scrum and agile for politics! This way politicians can claim doing something, but have to keep their promises backed up up by real data. Hopefully making politicians jobless and enabling us to self-manage our country and ourselves. Ok, ok, let the man dream.. let the man dream..
I was thinking the same thing, but your car and its license plate can identify you, and if anybody is paying attention, they might remember you.
Better yet, weather permitting, ride your bicycle to a neighborhood "pocket park", and use the WiFi connection from there. No car to be seen!
"...you should never send anything twice."
I suppose you could add or remove a few spaces, or carriage returns to the document to change its checksum, so it "looks different" to anything watching for that sort of thing.
Personally I think the biggest risk has to be in letting each individual newspaper implement their own 'strongbox'. No doubt these newspaper IT staff aren't security nuts, and I can see this will end in tears.
If I was going to design this from the ground up I would do it as a cloud service, and here is how it would work:
I would ask all participating papers to at least partially enable SSL. Even if they just had one load balancer push people over to the https site so you've got maybe a 1 in 10 chance of getting an SSLized connection. Allow people to force using SSL. The idea here is to ensure that there is enough legitimate SSL traffic so that our whistleblowers do not get spotted.
We would give each newspaper a .tar.gz to extract onto their web server (their main domain otherwise we can't hide these requests in with all the legit stuff), perhaps we make a new subdirectory called newstips/
The 'newstips' section will have a page with some general opsec advice for people intending to leak and importantly some files to download. There will be a windows 32/64 universal .exe file, a MACOSX app, a PDF of how the implementation works and a .deb that has been statically linked to any obscure libraries so it hopefully works for ubuntu and debian users. There will also be a .tgz of the source code for review.
In warzones and areas of civil unrest or civil disobedience rights groups can hand out a CD containing well - just a wget of that newstips/ directory. This is all a stranger needs to start leaking. We may have a script for the newspaper server admin to put in cron that changes the size of the file by adding fluff below the end of the file, etc.. so that traffic analysis is more difficult if the file is constantly changing size. We don't intend for the newspaper site to be the primary place they go to download the files - but it's one option for them. There will be many different ways to distribute, including just going to the cloud strongbox provider's hidden service address with a web browser once you have tor. Or it can be mailed to you - again, all sorts of options.
The downloaded Windows file is intended to be portable and to be put onto a fresh small USB stick. The user runs it off the stick (it doesn't write a single byte to registry, etc.. it tries to keep solely to itself). The windows version of the program doesn't go online until the actual time of submission either, which is good.
So they run the app, select which mode to operate on (via tor or relay through a busy newspaper site using SSL - the latter is riskier but the only real option for those in oppressive regimes where using tor itself is criminal. Ideally you'd be in an internet cafe and use good opsec to ensure you're not IDable). In the latter mode if there is too much info to upload and it is going to look unusually large going upstream versus all the other traffic it might suggest you do one part one day and another in a few days. The newspapers who run the relays can help (even though it is wasteful) by using some AJAX that makes clients using their site and reading the news push up some random junk).
Once they've set their mode they then need to choose a passphrase. It will suggest a few (ala diceware style word lists) or they can enter Rtheir own. A brief dict run against 100,000 of the worst passwords is done when they click Next.
The next step is key generation and the keypair is saved along with all the other settings that they are setting up in an AES256 encrypted container on the USB disk.
Next they can drag all the files they want to leak into the drag and drop style interface. Going Next brings them to a display of all the hidden metadata that has been found and they can scrub the files if need be. It also gives them a lecture about covert metadata in the form of digital watermarking, steg, etc. There is a redaction tool and you can apply a range of filters to reduce the resolution and/or OCR a text only document and then reformat the text to avoid being caught out by document marking which uses font metrics and spacing. They can then use the redaction tool to securely redact. Finally the data they've chosen to leak is transcoded into an appropriate format and prepared.
An address book is compiled into the binary. This shows all of the news agencies that use the service. They can select a news agency and then select a journalist. If the address book needs updating this can be done but you will be explicitly asked to confirm if you wish to go online (using whatever method you selected) to do this. Many will be preparing their docs at home and will want to defer this bit when they are on a public PC or wardriving. Anyway they can defer now and close the app or click next. Let's assume next.
At this point all of the queued data is archived into a single file and asymmetrically encrypted to the journalist's public key (which is in the address book) and prepared ready to send.
A summary of everything that is queued is shown. When you are ready you can click SUBMIT. It will go online (through tor if you accept the default) for strictly only long enough to do its bit and get the hell out.
When successfully completed you will get a source codename. It is drawn from an English code book and is two words. This is used to uniquely identify the source should you wish to communicate in future. (ideally OTR style chat will be included at some point also). So, for example - "PATERNOSTER JOE"
When you click FINISH it will inform you that it now wishes to securely erase your USB flash drive. It will also provide some handy hints on how to clean up the computer which you've handled the documents on, depending on the threat level. It will then securely erase the flash drive (as securely as you can erase flash that is) and recommend incineration.
IMHO that's how I would handle such a thing.
Once on the cloud server for the strongbox-type service provider it will then be e-mailed to the journalist as a standard GPG encrypted email. Nothing fancy. Email can be split if need be.
By having a 'service provider' do all the hard stuff they can sit back and just let it work and let the experts look after the stuff that needs to be secure. IMHO. I have had a few too many glasses of wine tonight so I hope I am not too incoherent.
I imagine that Senator Obama had in mind Proper Channels for whistleblowing, with Strict Policy against retaliation -- rather than encouraging leaks to parties outside the family.
As can be read (through Google Translate I guess) here, it's being implemented by Danish national radio station Radio 24syv: http://www.b.dk/nationalt/...
Great do the job! That is the kind of information and facts that ought to be embraced over the world-wide-web. Shame on the internet for no for a longer period ranking that submit better! Occur in excess of along with visit my site. Thanks a lot Is equal to)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.