Improving the SecureDrop System Architecture heartsucker SecureDrop - - PowerPoint PPT Presentation

▶

Oct 24, 2022 207 likes •644 views

Improving the SecureDrop System Architecture heartsucker SecureDrop Maintainer FOSDEM 2018 SecureDrop Release Signing Key Fingerprint: 2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77 SecureDrop is an open-source whistleblower submission

SLIDE 1

Improving the SecureDrop System Architecture

heartsucker

SecureDrop Maintainer

FOSDEM 2018

SecureDrop Release Signing Key Fingerprint: 2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77

SLIDE 2

SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources.

SLIDE 3

picture of all the presidents men

In the past, journalists could protect their sources by simply not revealing their identities when asked.

Still from “All the Presidents Men”, a film adaptation of Carl Bernstein and Bob Woodward’s reporting on the Watergate break-in

SLIDE 4

SLIDE 5

SLIDE 6 GCHQ surveillance base in Bude, UK. Image credit: Trevor Paglen

Threat Model

SLIDE 7

What are we trying to protect? Source Anonymity Document Confidentiality

SLIDE 8

Who do we want to protect it from?

Nation States Large Corporations Local Law Enforcement & Government

EVERYONE

SLIDE 9

What are their capabilities?

Intercept Network Traffic Hack Into the Servers Send Agents to Seize Hardware

EVERYTHING

Submit Malware to Journalists via SecureDrop

SLIDE 10 Image: Guram Mikaberidze

SLIDE 11

Current State of SecureDrop

SLIDE 12 App Server Monitor Server Firewall Journalist Source Secure Viewing Station

SLIDE 13

Develop, Deliver, Deploy

1. Write a feature
2. Write tests
a. Unit tests
b. Functional tests w/ Selenium
c. Multi-stage tests with Molecule
3. Write docs
4. Mandatory code review for all developers
5. Automated testing with CircleCI
a. Linting
b. Unit & functional tests
c. Debian packaging, test deployment scripts
6. Manual testing of release candidates
7. Publish packages to apt repo

NOTHING SPECIAL HERE

SLIDE 14

SLIDE 15

Failures and Fixes

SLIDE 16

SLIDE 17

What went wrong

Root cause: Nautilus allowing .desktop files to execute arbitrary code
SVS is not a true airgap

○ dirty USBs to Journalist Workstation ○ USBs to publishing/editing workstation

Failure to adhere to principle of least privilege / imperfect isolation

○ GPG keys accessible by untrusted files

SLIDE 18

SLIDE 19 Internet-connected VM Disposable VM not connected to the internet Journalist Workstation

SLIDE 20

SLIDE 21

:(

SLIDE 22

SLIDE 23

SLIDE 24

SLIDE 25

Localization

Code changes
Dependency changes
Build update to support translations
Weblate for external translators
String freezes in preparation for a release

SLIDE 26

SLIDE 27

SLIDE 28

SLIDE 29

SLIDE 30

SLIDE 31

Postgres Alembic Flask-SQLAlchemy pytest Source App Refactor Journalist App Refactor

SLIDE 32

SLIDE 33

App Server

SLIDE 34

App Server

Gateway Source App Journalist App Database Workstation

SLIDE 35

Open Questions & Research

SLIDE 36

SLIDE 37

SLIDE 38

TODO SD is super boring to write and it’s bs grunt work but the end resutl is super important

SLIDE 39

can prevent press freedom violations.

SLIDE 40

Current SecureDrop Team

Ford-Mozilla Open Web Fellow

+ contributors

prototyping next generation SecureDrop workstation

SLIDE 41

Come join us!

Please come and talk to one of us after if you are interested in helping out!
Translation: https://weblate.securedrop.club
Code and documentation:
https://github.com/freedomofpress/securedrop
https://github.com/freedomofpress/securedropworkstation
Chat with us:
https://forum.securedrop.club (forum)
https://gitter.im/freedomofpress/securedrop (team chat)
securedrop@freedom.press
Donate: https://securedrop.org/donate
Follow: @SecureDrop and @FreedomOfPress

SLIDE 42

Contact

heartsucker@freedom.press 0CEC 9368 88A6 0171 4611 74C5 C0A2 586F 09D7 7C82