Hackpads are smart collaborative documents. Join Hackpad Now.

Log in / Sign up

1 day ago
3 / 27
Unfiled. Edited by Garrett Robinson 1 day ago
Tentative schedule: ???
 
10 days ago
Unfiled. Edited by Kevin M. Gallagher 10 days ago
TL;DR: Grab your personal computer, Tails USB, and documents—but leave your phone at home. Use cash and take a bus to a coffee shop that you've never been to. Avoid shoulder surfers and CCTV. Using the Tor Browser, or preferably the Tails operating system, access your preferred news organization's SecureDrop onion URL from the coffee shop's open WiFi. Always be aware of the info you are submitting, obvious or not. If you use SecureDrop again, access it from a new location. Protect your codename. Don't tell anyone about what you are doing or have done, and never answer questions from investigators without a lawyer present.
 
First, you must be careful to never contact a SecureDrop site at work.  Most corporate and government networks log traffic at at least some level, ranging from "netflow" (a record of what computers are contacted) to full intrusion detection logs which record every URL visited on the network.  A network administrator at work may easily be able to determine who has been using Tor on your work network. Any attempt to use Tor within a monitored network may arouse unwanted suspicion.
 
This means that if you wish to submit documents that exist in your work environment, you must remove them and submit them to SecureDrop using your personal computer, or even better, a new computer at a location other than work.
 
By now it should be clear that you can not safely use Tor from work or even from home, as even the lightest monitoring can often identify Tor users. Thus if you wish to leak documents to a SecureDrop instance, you should go to a third location with public WiFi, like a coffee shop. Ideally, you would not go to a coffee shop that you've been to before or which you plan on returning to. Avoid bringing and using items that can be used to track your location, like your cell phone. Buy your coffee in cash; do not use a credit card. Oh, and wear a hat.
 
While accessing and using SecureDrop attempt to sit with your back to the wall and use a privacy screen to avoid shoulder surfers and video cameras. 
 
Don't re-use the same location to access SecureDrop.
 
Any shared computer, for example a public library or internet cafe computer, also increases your risk of surveillance as well, although in a different manner.  These computers may have network monitoring, and may also have access logs. Your personal device for daily use may be infected with malware that also has this capability as well. To mitigate this risk, you should boot your computer from a live operating system like Tails.  This requires some sophistication, as the initial installation of Tails (onto a DVD or USB stick) is fairly complex. However, Tails offers detailed instructions on how to download and use Tails here
 
The Tor Browser,  the privacy-conscious web browser that masks the IP address of your computer, is an integral part of SecureDrop and one of the keys to keeping your identity a secret. 
 
You should never access the SecureDrop site in any browser other than the Tor Browser. Go here to download: https://www.torproject.org/download/download-easy.html.en or download it from our own Tor Project mirror site: https://tor.pressfreedomfoundation.org 
 
If you try to access the SecureDrop site from Tor2Web you will receive a warning telling you to open Tor first.
 
JavaScript is a computer programming language that is used by a lot of today’s most popular websites. Most browsers have JavaScript turned-on by default because these websites would not run properly without it. While JavaScript may make websites run easier, because of the way it works, it also makes you more vulnerable to an attacker. By leaving it on, there is an increased chance that a determined attacker can find out your identity.
 
If you have JavaScript enabled and try to upload documents, SecureDrop will show you a warning and tell you how to disable it.  In the Tor Browser Bundle, you can select the Noscript "S" (between the  green onion and the address bar), and select "Forbid scripts globally". Make sure to reload the page before continuing.
 
Protecting Your Codename
 
A 7-10 random word codename that is only sporadically used will be almost  impossible for the average person to remember. You will have to record it somewhere until you either remember it or no longer need it.  When recording the codename try not to store the whole codename together. Break the codename into a few parts and store the parts in different locations.
 
If used properly, SecureDrop does not log any identifying information and you can stay anonymous, even from the journalists you are communicating with. However, the document you upload, may contain “metadata” that can contain identifying information such as the author, editor, operating system or programs used, location, and timestamps embedded within them. For extremely sensitive documents, corporations or governments may have placed watermarks or other unique identifiers on them to help identify the source if they are leaked. 
 
The journalists are instructed to scrub this metadata on their end before ever publishing such documents. But if the source is concerned, they can use the Metadata Anonymization Toolkit (MAT) to do this before submitting. Unfortunately, MAT only runs in Debian or Tails, so you will have to go through some extra steps to use it.
 
Right now, the Tor network encrypts your document in transit, and then the document is encrypted with a GPG private key for storage on the SecureDrop server (the private key is stored offline). However, the message is momentarily in plain text when it hits the server, and you are trusting that the web application and environment has not been compromised. We have our web application and environment continually audited to make sure it is as safe as possible. But to be 100% sure the plain text of your message or document never touches the server, you can encrypt your message or document before sending. 
 
To do this, you can download the journalist’s public key from the SecureDrop main page. On Tails Then follow these instructions on the command line:
 
Kevin GImport the journalist's public key:
 
  • $ gpg --import /home/source/journalist.asc
 
On a successful import, make note of the name or e-mail address corresponding to the key, then use it to encrypt your message with their key:
 
  • $ gpg --encrypt --armor --recipient journalist@news.org
 
Press enter, compose your message and then press Ctrl+D when you are done. Copy and paste the entire block of encrypted text into the comment box on the SecureDrop main page. When you hit submit your message will already be encrypted once, and will be encrypted again once it hits the server. Your message will never be seen in plain text by the server.
 
To encrypt a document which you can then upload through the SecureDrop interface:
 
  • $ gpg --encrypt --recipient journalist@news.org /home/source/document.pdf
 
The resulting encrypted file would live in the same folder and be called document.pdf.asc or document.pdf.gpg. The "armored" (--armor) output option can also be used, but the ASCII output will be larger if you're encrypting a binary format like images, PDFs and media as opposed to text.
 
In a situation where there are a limited number of people who had access to the document, and where it was an important enough document to spark an investigation by the FBI, you will likely be questioned by investigators even if you've done everything correctly. It's also possible they will know you have connected to Tor at some point if you did so from your home or work Internet connection. They will use this as leverage to try to get you to admit what you did. Using Tor does not prove you have committed a crime. If you say nothing, they cannot prosecute you if this is their only evidence. 
 
Many people believe in using the postal service to get documents to journalists because of unambiguous warrant protections involving physical mail.  Although it takes a warrant to open mail, the US government photographs the outside of every letter and package sent.  This can be used to identify the mailbox for any letter of note, and  potentially provide the government with knowledge of the outside of every letter sent to a target recipient long after the fact. Therefore:
 
* Make sure there is no valid return address on your package; consider putting a fake return address on the package to avoid suspicion.
 
* Do not enter any post office to mail anything, since they also take photos of the faces of everyone who mails a package with them. Instead, mail from a sidewalk public mailbox. 
 
*  Make sure you do not leave any fingerprints on the package in case it ends up in the hands of the authorities (at least one source has been convicted in part because his fingerprints were found on the source documents).
 
13 days ago
Unfiled. Edited by Trevor Timm 13 days ago
SecureDrop Deployment Best Practices
 
SecureDrop is only as secure as the environment that surrounds it. To keep sources safe, the news organization's website must employ a set of basic security best practices or else you risk losing any source protection provided by SecureDrop. 
 
Trevor TWhile SecureDrop itself is located on a Tor hidden service, news organizations also need to create a SecureDrop landing page that will explain how SecureDrop works, give sources instructions on how to access the Tor hidden service, and disclose the risks.
 
It is important to keep in mind that implementing SecureDrop will bring more attention to your organization by security researchers, hackers, and other like-minded people. If the your landing page minimum requirements are not implemented, these people will be sure to loudly point this out on Twitter and other blogs as a #SecurityFail. This will discourage potential sources from using your version of SecureDrop. However, it can easily be avoided by following the below best practices
 
Freedom of the Press Foundation will soon list all of the SecureDrop onion URLs as "verified" on its website that meet the minimum requirements for deployment best practices. If your organization cannot follow the minimum guidelines we cannot recommend to users that your SecureDrop is safe to use. 
 
In addition to implementing the below best practices, it is strongly recommended that you have a reputable security firm perform a security review of your organization's public website prior to launching an instance of SecureDrop. Upon request, we can help put you in touch with a few security firms if you need more assistance.
 
Landing Page
 
Most news organizations, in fact almost all, do not use HTTPS encryption by default. This is the number #1 minimum requirement for the SecureDrop landing page on your website. Without HTTPS, a source can easily be exposed as a visitor to your site. 
 
If you do not serve ads on any of your site, you should also consider switching your whole site over to HTTPS by default immediately. If you do serve ads, consider pressuring your ad networks to enable you to switch to HTTPS for your entire website in the future. 
 
Both the New Yorker and Forbes were heavily criticized when launching their version of SecureDrop because their landing page contained trackers. They were claiming they were going to great lengths to protect source's anonymity, but by having trackers on their landing page, also opened up multiple avenues for third parties to collect information on those sources. This information can potentially be accessed by law enforcement or intelligence agencies and could unduly expose a source. 
 
Security headers give instructions to the web browser on how to handle requests from the web application. These headers set strict rules for the browser and help mitigate against potential attacks. Given the browser is a main avenue for attack, it is important these headers are as strict as possible.
 
If you use Apache, you can use these:
 
 
If you use Nginx, you can follow this link  and use the configuration file provided by ProPublica.
 
 
Minimum requirements for the SecureDrop environment
 
  • The Document and Monitor servers should be dedicated physical machines, not virtual machines.
  • A trusted location to host the servers. The servers should be hosted in a location that is owned or occupied by the organization to ensure that their legal can not be bypassed with gag orders.
  • The SecureDrop servers should be on a separate internet connection or completely segmented from corporate network.
  • All traffic from the corporate network should be blocked at the SecureDrop's point of demarcation.
  • Video monitoring should be recorded of the server area and the organizations safe.
  • Journalist should ensure that while using the air-gapped viewing station they are in an area without video cameras.
  • An established monitoring plan and incident response plan. Who will receive the OSSEC alerts and what their response plan will be? These should cover technical outages and a compromised environment plan.
 
Suggested
  • For publicly advertised SecureDrop instances display the Source Interface's hidden service onion address on all of the organization public pages.
  • Mirror the Tor Browser Bundle so sources do not have to visit torproject.org to download it. 
 
33 days ago
Unfiled. Edited by mailinator 33 days ago
What a local network (where securedrop has been deployed) attacker can achieve:
 
  • Possible ability to link sources to journalists, if they are replying back and forth to each other with low-ish latency
mailinator
  • Possible ability to correlate whistleblower traffic when learning how to submit to SD accessing the media website from a list of given suspects provided by the organization who's material has been leaked
 
What a global, active adversary (one who can observe and arbitrarily modify/block Internet traffic) can achieve (in addition to the abilities of a global, passive adversary):
 
 
What a local network (where "landing pages" of the media has been deployed or where the whistleblower use to connect to the internet, such as work proxy or home connection, to read landing pages) attacker can achieve:
 
  • Log access from whistleblowers learning how to submit to SD, with possible ability to correlate whistleblower's IP/identity from a list of given suspects provided  by the organization who's material has been leaked
 
 
51 days ago
Unfiled. Edited by Garrett Robinson 51 days ago
---
 
0 Goals
 
SecureDrop 1.0 will be a complete re-architecture, designed to achieve two primary goals:
 
  1. Each SecureDrop server should offer a simple API for clients to use in submitting information and conversing with journalists. Multiple client designs should be allowed, to satisfy a variety of source threat models and operational environments.
  1. All encryption between sources and journalists should be end-to-end, accompanied with a variety of countermeasures to prevent or at least detect malicious tampering with the SecureDrop server.
 
Additionally, we should consider a design where both the server and client can cooperate to implement mitigations for traffic analysis.
  1. A local observer (in the context of an anonymity network, any eavesdropper between the client and the first hop router) should only be able to determine that the user is using the anonymity network, but not that they are using SecureDrop.
Garrett R
  1. A first step could be to randomly pad requests and responses to obfuscate the traffic fingerprint. Unfortunately, it is difficult to achieve certainty in effectiveness.
  1. "Bucketing" requests and responses, in the manner of Pond, is unfortunately insufficient: the traffic pattern is still identifiable (which is acknowledged by Pond's design document).
  1. We could use a more sophisticated scheme, such as Wright et. al's traffic morphing. Unfortunately, this is difficult to implement and has also been called into question. In general, the jury is still out on any "efficient" traffic analysis scheme.
  1. Ideally, we would also implement mitigations for global adversary traffic analysis. We obviously cannot stop them from learning that a given user is using SecureDrop due to correlation, but we might be able to prevent them from associating a SecureDrop user with a specific submission or set of submissions.
 
In general, resisting traffic analysis may be better served by removing the assumption of a low latency anonymity network (e.g. Tor). We could consider something high latency (e.g. Mixminion). Unfortunately, there is no existing network with a large anonymity set (comparable to Tor's) and bootstrapping one is decidedly non-trivial.
 
Given the difficulty in implementing and ascertaining confidence in comprehensive traffic analysis mitigation, it may be better to treat it as a goal for a future (1.x) release, and implement simple mitigations for 1.0 (e.g. random padding, maybe bucketing).
 
52 days ago
Unfiled. Edited by Trevor Timm 52 days ago
TL;DR: Grab your personal computer, Tails USB, and documents—but leave your phone at home. Use cash and take a bus to a coffee shop you have never been to. Avoid shoulder surfers and CCTV. Using the Tor Browser, or preferably Tails, access your preferred news organization's SecureDrop onion URL from their open-wifi. Always be aware of all the info you are submitting, obvious or not. Only keep info for as long as you need it. Use a location once then consider it burned.  Protect your codename. Don't tell anyone about what you are doing or have done, and never answer questions from investigators without a lawyer present.
 
Members (35)
Kevin M. Gallagher Yan Zhu mailinator grugq David Dahl Brad2014 Nick Weaver Chris P Adán Sánchez de Pedro Crespo 0x Antonio Larrosa Gabriel Ochoa Melissa Christian Ternus m s Julia Kuznetsov Terry Terry Zaki Manian chris weedon

Create a New Collection

Cancel

Move XXX to XXX


XXX will be invited to the XXX on XXX.

Cancel

Contact Support



Please check out our How-to Guide and FAQ first to see if your question is already answered! :)

If you have a feature request, please add it to this pad. Thanks!