Python Powered Journalistic Freedom With SecureDrop - Episode 228

Summary

The internet has made it easier than ever to share information, but at the same time it has increased our ability to track that information. In order to ensure that news agencies are able to accept truly anonymous material submissions from whistelblowers, the Freedom of the Press foundation has supported the ongoing development and maintenance of the SecureDrop platform. In this episode core developers of the project explain what it is, how it protects the privacy and identity of journalistic sources, and some of the challenges associated with ensuring its security. This was an interesting look at the amount of effort that is required to avoid tracking in the modern era.

linode-banner-sponsor-largeDo you want to try out some of the tools and applications that you heard about on Podcast.__init__? Do you have a side project that you want to share with the world? Check out Linode at linode.com/podcastinit or use the code podcastinit2019 and get a $20 credit to try out their fast and reliable Linux virtual servers. They’ve got lightning fast networking and SSD servers with plenty of power and storage to run whatever you want to experiment on.



Announcements

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • When you’re ready to launch your next app or want to try a project you hear about on the show, you’ll need somewhere to deploy it, so take a look at our friends over at Linode. With 200 Gbit/s private networking, scalable shared block storage, node balancers, and a 40 Gbit/s public network, all controlled by a brand new API you’ve got everything you need to scale up. And for your tasks that need fast computation, such as training machine learning models, they just launched dedicated CPU instances. Go to pythonpodcast.com/linode to get a $20 credit and launch a new server in under a minute. And don’t forget to thank them for their continued support of this show!
  • You listen to this show to learn and stay up to date with the ways that Python is being used, including the latest in machine learning and data analysis. For even more opportunities to meet, listen, and learn from your peers you don’t want to miss out on this year’s conference season. We have partnered with organizations such as O’Reilly Media, Dataversity, Corinium Global Intelligence, and Data Council. Upcoming events include the O’Reilly AI conference, the Strata Data conference, the combined events of the Data Architecture Summit and Graphorum, and Data Council in Barcelona. Go to pythonpodcast.com/conferences to learn more about these and other events, and take advantage of our partner discounts to save money when you register today.
  • Your host as usual is Tobias Macey and today I’m interviewing Jen Helsby and Kushal Das about SecureDrop, a secure platform for submitting and receiving documents anonymously

Interview

  • Introductions
  • How did you get introduced to Python?
  • Can you start by describing what SecureDrop is and how it got started?
    • How did you get involved in the project?
  • Can you give some background on where and why it is useful?
  • For someone using a running instance, what does their workflow look like?
    • What are some of the ways that you minimize user experience hurdles to prevent them from circumventing the security through laziness or apathy?
  • I was a bit surprised to see the references to the messaging system that is included. Why is that an important feature?
  • What form do the submissions generally take and what are the limits on formats that you can accept?
  • How is the system itself architected and how has the design evolved since the first implementation?
  • In terms of the security protocols and technologies that are implemented, what factors are you considering as you develop the project?
    • What are the weak points or edge cases that could lead to compromise and how do you guard against them?
  • In terms of the deployment and maintenance of a SecureDrop instance, how much technological sophistication is necessary for the organization running it, and how much effort do you put into simplifying it?
  • What are some of the notable uses of a SecureDrop deployment and what motivates you to continue working on it?
  • What are the most interesting/innovative/unexpected uses of SecureDrop that you have seen?
  • How do you approach the sustainability of the platform?
  • What have you found most challenging/interested/unexpected in your work on SecureDrop?
  • What is in store for the future of the project?

Keep In Touch

Picks

Closing Announcements

  • Thank you for listening! Don’t forget to check out our other show, the Data Engineering Podcast for the latest on modern data management.
  • Visit the site to subscribe to the show, sign up for the mailing list, and read the show notes.
  • If you’ve learned something or tried out a project from the show then tell us about it! Email [email protected]) with your story.
  • To help other people find the show please leave a review on iTunes and tell your friends and co-workers
  • Join the community in the new Zulip chat workspace at pythonpodcast.com/chat

Links

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

Click here to read the raw transcript...
Tobias Macey
0:00:12
Hello, and welcome to podcast.in it the podcast about Python and the people who make it great. When you're ready to launch your next app or want to try a project you hear about on the show, you need somewhere to deploy it. So take a look at our friends over at the node. With 200 gigabit private networking, scalable shared block storage node balancers, and a 40 gigabit public network all controlled by a brand new API, you can get everything you need to scale up. And for your tasks that need fast computation, such as training machine learning models and running your continuous integration. They just launched dedicated CPU instances. Go to Python podcast.com slash Linux that's LINODE today to get a $20 credit and launch a new server in under a minute. And don't forget to thank them for their continued support of this show. And you listen to this show to learn and stay up to date with the ways that Python is being used, including the latest and machine learning and data analysis. For even more opportunities to meet listen and learn from your peers you don't want to miss out on this year's conference season. We have partnered with organizations such as O'Reilly Media Day diversity Caribbean global Intelligence Center data Council. Upcoming events include the O'Reilly AI conference, the strata data conference, the combined events of the data architecture, summit and graph forum and data Council in Barcelona. Go to Python podcast.com slash conferences today to learn more about these and other events and take advantage of our partner discounts when you register your host as usual as Tobias Macey and today I'm interviewing Jen Helsby and Kushal Das about secure drop a secure platform for submitting and receiving documents anonymously. So Jen, can you start by introducing yourself?
Jen Helsby
0:01:47
Sure. My name is Jen Helsby, and I'm the lead developer of secure drop
Tobias Macey
0:01:50
and Kushal, can you introduce yourself?
Kushal Das
0:01:52
Hi, I'm also a maintainer of secure drop, and I'm part of various other projects, including as like Python co developer, and we both gentlemen, we bought a part of the Tor project also.
Tobias Macey
0:02:02
And Jen, do you remember he first got introduced to Python?
Jen Helsby
0:02:05
Yeah, I started using Python. When I was in graduate school, I did a PhD in astrophysics. And so I started using Python for data analysis. This is some years ago.
Tobias Macey
0:02:14
And Kushal. How about you? Do you remember how you first got introduced to Python?
Kushal Das
0:02:17
I mean, I saw Python back in college days. But like, in 2005, someone told me that I can try to write applications for my Nokia phones using Python. Sadly, I had a different version of Nokia, which citizen ID which never had Python. But yeah, that's how I got into.
Tobias Macey
0:02:33
And so can you start by describing a bit about what the secure job project is, and how it got started, and how you got involved with it?
Jen Helsby
0:02:40
Yeah, totally secure ops and anonymous whistleblowing platform that was first created by Aaron Swartz, Kevin Paulson, and James Dolan around 2012. And that was around the time that Wikileaks was in its heyday. And they had this submission system, and they were getting interesting documents through it. And so the idea was to create an open source project, that would be something similar that major news organizations can use to also get documents while protecting the identity of sources. And so it's not really a new idea, because news organizations have had like anonymous tip lines for some time, but doing it in today's kind of surveillance landscape is the challenge. And I got involved like three years ago, I had installed secure drop and thought it was a great project. And so I started working on
Kushal Das
0:03:27
it, I think my project was in a different way. I saw it like freedom, Tobias Foundation and secure drop from a distance all the time. And back in 2017, I was actually wondering if I should drop an email to fear of the press and saying like, hey, if I can work on the project full time, and I was not being able to do so, in the time, my wife and wishes he actually pushed me, like, just write to them and see what happens. And that changed many things in life. And I'm happy you're working on the project?
Tobias Macey
0:03:52
And so can you give a bit of background as to some of the wares and whys of when the secure job project is used?
Jen Helsby
0:04:00
Yeah, totally. So there are a lot of people that might want to share information with a news organization, but might fear what is what will happen to them if they are identified as a person who shared the information, so they might be fired, or in more kind of extreme situations, they might even be potentially charged with a crime or worse, and generally, reporters, at least in the US will refuse to provide a source of identity when asked by the government. And so the general problem is that, you know, in today's world, all communications are mediated by third parties. And the government doesn't need to ask a journalist who's the identity of your source, they can just go to a third party and ask them and so we started seeing this happen a lot more during the Obama administration, where the government would get a court order to acquire the telephone records of a journalist in order to identify the source that happened with the Associated Press, for example, under Obama and happens even more under Trump, unfortunately. And so that's the situation where if organizations thinks they're going to get sources of that type, and then using a providing secure drop, along with other channels is a good idea.
Tobias Macey
0:05:10
Yeah, given the fact that a lot of the sort of original ways that journalism was done was much more face to face, it was possible to be able to shield your sources, because you didn't have those electronic trails for be people to be able to follow and uncover who might have been released a particular document, but with the global nature of communication, and the fact that a lot more people will be collaborating over larger distances, it increases the availability and access to that information. But as you said, it increases the potential risk. So it's definitely good that there are platforms such as secure drop available to help ensure that there is the availability of that information without necessarily putting people at risk of the process of providing it.
Jen Helsby
0:05:51
Yeah, absolutely. Even like meeting physically in the modern age. Sometimes people are like, Okay, well, I won't call them on the phone, but then I'll meet them physically. And that's still you know, in a city, it certainly produces a significant amount of data because the CCTV cameras everywhere facial recognition, and that's something that, depending on the, the adversary you're concerned about could be used to identify you. So yes, quite a hard problem.
Tobias Macey
0:06:13
So for somebody who is running an instance of secure drop, and somebody who wants to submit some information to that organization, what does the overall workflow look like for the person who is submitting either in terms of just discovering the availability of it in the first place, and then actually providing the information and then on the receiving end, the actions required to actually retrieve that information and make use of it?
Kushal Das
0:06:37
Yeah, I mean, I can talk from the source point of views. And then Jen can explain what happens in that, like from the journalist point of view, so generally, most of the news organizations, they also publish the URL of their secure drop instance, via other medium, like the normal news website, some physical newspapers also printed in the physical copy. And we also have like a directory where we have verified URLs from different organizations, like we're running secure drop. So a source can identify from many of these cases, or one particular case we saw, like, one organization actually put their URL in a billboard in front of another large organization. So when I sources these and like, if they try to read a little bit more about to you about the, how they can submit, all of these websites generally also give some sort of bare bare minimal steps for the sources, how they can actually use tales operating system, you know, they go to a different network, like a cafe or somewhere like don't try to do anything from your office network. And they will open up using Tor browser on tails, they can open up the instance and just click and log into the box and submit any documents or they can ask any question, they'll send some sort of messages. And this from the source point of view, they do not get username, password or anything details, they just get one big dice ready interrupted password, which adapter, just remember, for next time use Jen, you want to go ahead for the journalist,
Jen Helsby
0:08:05
once the source is uploaded either documents or messages to a secure web server, then the journalist will come along and they will access a another web application that is separate from the web application that sources are using, again, using Tor Browser. And they will download those documents, whatever they're interested in, and then they will transfer those documents across an ad gap. So they will transfer it to a machine that's never been connected to the internet and is not currently internet connected using some storage device like USB drives or CDs. So they take these documents across. And that is where they decrypt and read those documents on an aggregate machine, which we call the secure viewing station. And so that's the only place where documents can be decrypted. So at that point, they'll either decide to respond to resource in which case they need to go back to an online machine and send messages back to that source, you can then log in again and read them or they will transfer those documents that they've decrypted to another workstation in the newsroom or print them out such that they can take them to their editor or whatever their workflow is after that point. So it's kind of a bit laborious having to traverse this air gap. But the main concern that motivates that design is it's one of those scenarios where you're asking just random people on the internet to submit you files of any type. And then the journalist is going to open those files. And so the concern is, what if the file contains malware. And so we want to keep that compartmentalize from the rest of the system.
Tobias Macey
0:09:40
And because of the fact that there is the potential for malware, I'm wondering what any sort of best practice or standard operating procedure is in terms of the air gap computer as far as ensuring that it is up to date with its security benefit. They're up to date with its security updates, and has some sort of accurate protection to prevent any sort of malware from corrupting the rest of the machine. Or, I mean, given the fact that its air gap, there's less of a sort of blast radius where you don't have to worry about it escaping from there. But I'm wondering if there's any sort of potential compromise as far as other information on the machine that might get destroyed in the process of opening some of those files, or just making sure that the overall security of that system is up to date as well, given that it's not connected to the internet?
Jen Helsby
0:10:25
Yeah, I mean, it's one of the main challenges was with an air gap is it's not going to be getting automatic security updates. And so people do need to manually update. The the main concern right now with this egg up system is if an attacker can get code execution, it is the same place where the private key is stored. And so we still don't want to allow that to happen. If they do get current execution, all of the physical devices that could be used to exhale data are removed. So for example, the network cards are removed, the mics are removed, etc. So it's it is if you can get a foothold, it's hard to get data off the system. Oh,
Kushal Das
0:11:04
I was saying that we also use tails in both the generalist workstation and also the ZS the secret room station. So it does also provide some sort of like support as a gap system here,
Jen Helsby
0:11:18
now has this amnesiac property, which is why we use it. So almost everything on the system will be destroyed when you reboot it. So there's just one directory that stays that persists and everything else is destroyed. So that's a real advantage in the case of malware, potentially getting a foothold on the secure viewing station.
Tobias Macey
0:11:41
And as you mentioned, some of the overall workflow, particularly on the receiving side is a bit laborious, and then also on the person who's submitting the information, as you said, there's the potential for responding back to them. But it requires them to actively go back and login with that randomly generated password to be able to see if there are any written messages without any way of being notified of their presence. So I'm curious if there's any sort of common workflow that people use to try and reduce any sort of latency or barrier as far as the return communication to maintain some sort of a dialogue or if the Document Submission conserve as the riskiest piece of business. And then the rest of the communication can happen in somewhat of a more convenient form factor.
Jen Helsby
0:12:27
So there are people that just come to secure drop, dump documents and never return. And then there are people that have these more extended interactions, like there are people that only talk through security often have like long running relationships with journalists. And the truth is that we don't know too much about individual a news organization. So we should have said that, we just write the software and then news organizations install it and operate it themselves that we can't SSH into anybody's secured, Rob, it's all managed by administrator something each individual organization. And as a project, we don't want to know too much. I mean, we need to know some about what users are doing in order to design the system. But we don't want to know too much, because it's obviously very sensitive. And that makes us a place where you could go to gather information about these common workflows and potentially use that to attack a news organization.
Tobias Macey
0:13:23
And also in terms of just the overall user experience, having too many sort of difficult steps or too much inconvenience in the process can often lead people to just short circuit the security and take shortcuts that will prevent the overall effectiveness of the system. And I'm wondering how you approach that user experience and education step to ensure that the overall use case and workflow of secure drop remains secure and sort of prevents people or encourages people not to take those shortcuts that might compromise it
Kushal Das
0:13:55
kind of hard for the journalists to actually use any other system, then the properly journalist watch station to access the secure drop instance. And the final like, even if the journalistic workstations, like journalists can download any kind of submission, they cannot view it till they actually move it to a particular gap, secure view station. So even if they want, there is no such simple way to like, you know, bypass the security, the way it is designed, it's difficult, and it's become such a like a difficult level, which is not easily can be bypassed to make that whole flow easy right now,
Jen Helsby
0:14:33
yeah, they would need to know how to like export private keys and stuff like that. Second, man, a security.
Kushal Das
0:14:38
And we also do trainings at those places, most of those places where they take help from us about installing secure dropping things. So like freedom of the press foundations, digital security, they not only teach about how to use secure job and make it into a muscle memory, they also have to learn about digital security one on one and more details, so that the overall digital the secret, how you
0:15:01
it's better for the journalist
Tobias Macey
0:15:03
and going back to the messaging system, because of the fact that this is at least at face value more of a one way relationship where somebody will submit documents to the news organization. I'm curious why you feel that the return messaging and being able to have that be a communications channel is important to the overall workflow and utility of the system.
Jen Helsby
0:15:25
Yeah, one of the challenges with a system like this is that the source journalist relationship is a human one. And so it can be hard to develop that rapport. Without having some kind of back and forth, it might take some time before a journey, before source is comfortable sharing something until they know that it's going to be handled properly, and that they're kind of going to be safe. And so you can imagine that that's one of the uses of the messaging system. And journalists might have follow up questions, they might need clarification on what a document needs, if it's particularly technical in nature, or they might kind of need a pointer to where they can find out more. And so that kind of back and forth is what the messaging system is most useful for.
Tobias Macey
0:16:10
And then also, as far as the types of submissions, I'm curious what form they generally take, whether they're PDF documents typically, or if they're sort of zip archives, just the sort of general volume and scope and sort of format support that's necessary for ensuring that you're able to access that information on the secure workstation, the air gap workstation, once you've retrieved it,
Kushal Das
0:16:34
that is a fine size limitation like 500 Mb that is to start with, then for as far as the file types are concerned, there is no limitation. sources can submit any kind of document. And depending on the jar, and depending on the like, how the journalists want to view those documents in future like after they decrypted it on the secure workstation, they may want to move it out to some other system like like some other fancy system, maybe we through be able to play that video or document and watch the document. So
Jen Helsby
0:17:04
yeah, generally what we try to have good support for in terms of like opening documents is like office kind of documents, PDFs, most common audio and video formats. That's what you can open up and tales machine. And I think, you know, like if you get a sequel database dump or something like that, that would need to be taken to either another machine, or you would need the news organization would need to ferry like a deadlock and open that file nicely onto the workstation.
Tobias Macey
0:17:33
And then in terms of the overall system architecture, I'm wondering if you can talk through how it's designed and how it's deployed, and some of the reasoning behind using Python as the implementation language.
Jen Helsby
0:17:46
Sure, yeah. So the way that it's architected right now is every news organization installs two servers, so they're both run Ubuntu server, and one server is an application server. So that hosts two web applications, one that's used by the sources to submit the documents is previously described in one that's used by journalists to access documents. So that's the first server which we call the application server. And then the second server is a monitoring server that runs a host base IDs that just monitors the application server and then sends alerts for potentially suspicious activity to administrators, administrators here being the person at the news organization who's charged with keeping the security up and running order. And then we have a network firewall that separates the security area of the network from the rest of the network in case there's a compromise of their news organization, network or compromise of the security network just to keep things separated. And all of that is hosted on prem at a news organization. So might be in their data center. Or it might be you know, some cases like the editor's office or the General Counsel's Office. And then both sources and journalists only access the epic server through a veto veto on in services. And that is done primarily to protect sources and make sure that they do come in through Tor. And then admins can either use it or they can just use regular land to administer the service. And then also, a new news organization needs to have a online journalist workstation that the journalists can use to download documents, and then the secure viewing station that is at gap just described earlier. In terms of using Python, we want to generally pick technologies that are widely used and established and easy to maintain. And we really do get an advantage of using Python. So we use that for the two web applications and for a CI that administrators use to administer the system.
Tobias Macey
0:19:49
And given that the organizations that are running these instances don't necessarily have a lot of technical staff, particularly in the case of independent noise news organizations that may be fairly small. I'm wondering how you approach the overall system designed to reduce the maintenance burden on those organizations and ensure that they're able to keep it up to date and appropriately secure so that it fulfills its original intent,
Kushal Das
0:20:15
like what the actual administrator see is one or two single in a couple of basically a couple of small commands. And a gentleman said those are written in Python, but what does commands actually do is that they fire up a setup, and it will play like playbooks. And those playbooks make sure that the servers are in the correct state, like diabetes rules, like what all software has to be installed, what kind of kernel it should run, all details for all of those servers are exactly the same. And that we can only achieve by using these answerable runs. And that also helps to make sure that even if the administrator doesn't know much about Linux systems, they can just type this one single command, which will make sure that the servers are in the latest good set the way it should be.
Tobias Macey
0:21:00
As far as the overall security protocols and technologies that you're using, what are some of the main factors that you're considering as you develop the project and any weak points or edge cases that you are aware of, and that you try to guard against that it could potentially lead to a compromise?
Jen Helsby
0:21:16
Yeah. So generally, as I said earlier, we try to use widely used and established tools. So for example, if we add a dependency, we want to make sure that it's very commonly used. And we will, you know, when we make an update to that dependency, will review the changes, we do things like that, in terms of just general architect and for the project, we do threat modeling to analyze the functionality, the potential threats, and then when we're deciding what mitigation to apply, we go back to a threat model. So we have a document that's internal that contains every potential threat to the system. And then we try to rank all those threats to determine how to allocate engineering efforts so that we don't spend time mitigating threats that are either low impact or very hard to actually execute as an adversary. In terms of weak points and edge cases, probably the biggest challenge right now is just there are limits to what you know, any technical tool can do. So this cases where sources can be identified. And you know, unfortunately, we have seen this not necessarily people that use secured Rob, but people that try to share information with news organizations, operational security failures, you know, if you're using a tool, like scooter, and then you also email and use organization direct and those kind of situation, or if you're in a news organization, if you're in a organization as a leaker. And you're sharing a document that only a few people have access to, and access to the document is logged. That's another really challenging problem that we can't really engineer around. And so those are the biggest threats that face potential sources right now. And I think, you know, certain organizations realize that just having really good logging and other letting internally can potentially mean that as soon as somebody plugs into USB drive, you can flag it. So that is probably the biggest issue.
Tobias Macey
0:23:09
And as far as the overall development of the platform, what have been some of the most interesting or unexpected or challenging aspects in your experience of working on it and maintaining it and interacting with users,
Kushal Das
0:23:21
this further development or like use cases or things we found interesting.
Tobias Macey
0:23:25
Yeah. So for now, mainly just focusing on the actual development and maintenance of the project. And then we'll talk about some of the interesting use cases after
Kushal Das
0:23:33
I think, for me, like what I always find really challenging is that we are trying to secure systems where we do not have any access to all the secured Rob instances servers, they are running inside the organization's we're running them. And we as developers, like have zero access to those. So somehow, we have to make sure that those systems get upgraded and stays secure as it should they should be. That's one of the biggest one in my mind. Yeah, Jen.
Jen Helsby
0:24:00
Yeah, that's an ongoing challenges, especially because we're supporting like, we have contracts with some news organizations to help support the instance. And then another issue is just designing a system while trying to intentionally not know too much about how it is used. That's kind of an ongoing issue. And as far as any sort of interesting or unexpected uses of secure drop, or notable cases where it has proven beneficial. I'm wondering if there are any stories that you can share on that front, there's a recent case where we, what was announced at DEF CON, this month, beginning of this month, that apparently the US federal government is going to use secure drop in order to get security vulnerabilities. So this the reason why they want to secure up in that case is potential security, researchers are concerned about retribution. And so if they could submit through secure drop, they can make sure that whatever agency is aware of the vulnerability and fix it with them being identified,
Kushal Das
0:25:02
and that is the other story, which is about, like someone wrote an anti diversity memo at Google. And it got leaked multiple times multiple versions YRCK dropped it against different organizations, which was a big news all across.
Tobias Macey
0:25:17
Yeah, that would definitely took a while for people to get around it. And there was a lot of conversation and consternation on all sides of that conversation. And then in terms of the overall sustainability of the platform and the project, how do you approach any sort of required funding and men making sure that you have an appropriate level of staffing on the development side, and then also the overall process for user feedback to ensure that you're incorporating new features or system improvements that make sure that everybody who's using secure drop are getting the benefit that they want?
Jen Helsby
0:25:52
Yeah, totally. So in terms of sustainability of the project. And to kick it off, it's been really fortunate that the project is supported by freedom of the press foundation. So Chris shell and I are both employed by freedom of the press Foundation, they took the project over, after Aaron Swartz unfortunately passed away, I believe, in 2012. And so FBF, which is show for freedom of the press Foundation has supported development for several years since then. We've also been fortunate to get funding from Mozilla open source support, which supports a bunch of internet freedom projects like Tor as well. And so thanks to their support, and other kind of grant based funding and small donors that donate FBF, we've been able to keep the project maintained. In terms of user feedback, we get user feedback, either through just our bug tracker, like other projects, we have like a private Support Portal, that organizations that install secure drop, can use to file tickets, if there's an issue or if there's something that they want change. Then we also do surveys and user testing, and we chat privately to existing users. I've secured Rob to do that,
Tobias Macey
0:27:06
since secure drop is a platform that provides a means for circumventing surveillance. I'm wondering if there have been any cases where you've had to deal with any sort of pushback from either governments or other organizations that are either trying to shut the project down or have some sort of influence over it?
Kushal Das
0:27:26
Not that I know about anything?
Tobias Macey
0:27:28
Yeah, yeah, I'm not aware of anything like that, either. I mean, I think we have, at least we both started working on the project when it had already kind of become pretty mainstreamed. And a lot of big news organizations like New York Times, etc. Were using it. And so I think it would be pretty controversial if you know a government agency were to kind of publicly go after secure drop the project at this stage. And then in terms of the overall system maintenance, you mentioned that you have the answerable playbooks that allow users to you get it deployed, I'm curious how you publicize to the different agencies that there's a new release available, and how you simplify the update process to ensure that they're running the latest versions, particularly if you have any dependencies that have some sort of CV or vulnerability that's a present on the system to ensure that they stay up to date. And then particularly for a long running instances, how you help them with any sort of system upgrades of the underlying operating system.
Kushal Das
0:28:29
So like all secured of servers, by default, they get, like any security updates that comes out from the window as an operating system. And then we also like, if there is any changes from us, or new version, or new bug fixed version, those will also get pulled into the servers and deployed without any intervention from the system administrators. So and the servers regularly get rebooted every day, based on the time the SIS admins decided, and so that, and we do a lot of QA on those updates to make sure that those updates can pull in any other actual security updates or any other kind of dependencies, which are required to be there. And as far as the operating system updates, like we did one recently, we moved out of Trustees into the annual open to And for that, we actually, like worked a lot on the messaging and making sure that ministers and administrators get the proper steps and like documents and everything, so that they can go to the certain steps to make sure that the transition happens without any hiccups. So those all of those things together helps the systems to be updated.
Tobias Macey
0:29:44
And then also as far as testing and verification, I'm wondering what that QA process looks like to ensure that you're not introducing bugs, or potential regressions are security vulnerabilities into the platform as you're preparing a release,
Kushal Das
0:29:58
secret drop is a free song project and the source code, the bug, the bug trackers, and everything is public. And you can like actually anyone wants to go and check, they will find the issues file for each of the release, where we have a huge amount of like us steps like each and every parts of the project we manually verify. And then, as far as like, if you ask me as a developer, this is one of the best tested project as I've seen in my life. As far as that like integration test cases, the kind of unit test cases we have in the project. And like for any kind of feature to go in, it actually gets verified by multiple reviewers. And then all like we all, like continuously running and executing those scripts and act on server to make sure that the server behaves the way it should. And we have like two weeks of
Jen Helsby
0:30:49
Yeah, before every release, no, I was gonna say the exact same thing that we do a freeze two weeks before release. I wanted to test everything. And make sure that you know, even though every new feature has test coverage, we still want to test things manually, because some parts of the architecture are difficult to have automated tests for so we have like test for the web application, we have tests for the system state using testing for but for example, the full workflow of installing from tales that to service that's not fully tested. And so we do do that each regular release and multiple times.
Tobias Macey
0:31:29
As far as your overall experience for each of you individually. In on the project what have been some of the most interesting or unexpected or useful lessons that you've learned in the process?
Kushal Das
0:31:39
Nick, I think Jane also already mentioned one of the things is that supporting any project where we do not have any kind of access that was kind of difficult. And like me building a system which is which will be used by people who are not always so much into Linux or like friendly to the, our, our incense, like the developers we are life. So any building any new system for users, keeping those users in mind is always a challenge.
Jen Helsby
0:32:07
I guess for me like making sure you know for any system that has a large number of potential threats, making sure that time is being spent on the kind of lowest hanging fruit in it in a more rigorous way like we've done with the threat modeling process I described earlier is is so valuable, because it's kind of like security nerd, sometimes we want to focus on like the most interesting attacks that we can think of. And it can be tempting to get drawn into those by kind of having a more rigorous approach to it. Okay, the easiest thing that an attacker could do is x, like, let's make sure that we reduce the risk of this and come up with the mitigation is really valuable. And I haven't really seen too many projects of this type publicly presenting that information, kind of how they went about the threat modeling process, it would be cool to see that we've shared some of our threat modeling, documentation in our public docs, Dr. Secure drop.org. And as far as any particular packages or libraries that have been most useful in the process of building secure drop, I'm wondering if there are any that are notable that you'd like to call out
Kushal Das
0:33:11
with Epic SN is flawless. And we also already mentioned danceable that the replicate like huge application and we use molecule for testing and testing for testing part. And then a DOD project is obviously the one of the biggest thing of the whole project or singtel. torrent is Jen
Jen Helsby
0:33:27
Yeah, first security automation and project that we use, which is really great expanded to do static analysis, which we run in ci, bandit and safety so that we can get what we can fail ci when CV is found in one of our dependencies. And if other issues are introduced in a PR just reduces the amount of manual review, it's really great to, you know, easy to integrate, and probably useful for any project, not just one that's security sensitive in terms
Tobias Macey
0:33:52
of the future of the project, what are some of the new features or improvements or just overall work and effort that you you have in store in the near to medium term and any help that you are looking for from the community to improve it or add new capabilities?
Jen Helsby
0:34:09
Sure. So I guess one of the challenges right now is that we've made it pretty easy for sources to share documents with journalists, they just need to download Tor Browser and get a website, basically. But a lot of that complexity has been offloaded to the journal aside, as you know, it's described earlier with this kind of clunky workflow. And so one of the things we've been working on it is making it easier for journalists to check secure drop so that instead of it taking maybe 30 minutes, it may be could only take five minutes. And so we've been working on a project for journalists a workstation that combines that currently two separate workstations. So right now, we have this online workstation that's connected to the internet that they used to download the documents. And then we have a separate workstation. That's a gaps that they used to read the documents. And so we've been experimenting using cubes, which is a great project. And you should all check it out, which is basically a Zen distribution where everything is running inside a VM. And so they also have this concept called disposable VM, which is kind of perfect for a secure drop, because it's the kind of situation where you could open a potentially malicious submission in this disposable VM. If it gets popped. It's fine. It's compartmentalised in the VM, modular Zen escapes, and then it's destroyed after use. And so we've been experimenting kind of architected a kind of into VM pipeline that would download documents, pass them to a VM that's running a nice GUI for the user. And then when the user clicks a button, Open Document, it opens in this disposable VM. So that's all the code for that is public on our GitHub. org freedom of press. And so if you're interested in helping out probably the easiest place for people to get involved would be this gooey that I described, which is written in Python is cute. And there's a lot of active development on that right now.
Tobias Macey
0:36:02
Are there any other aspects of the secure job project or the use cases that it enables that we didn't discuss yet that you'd like to cover before we close out the show?
Jen Helsby
0:36:11
I don't think so. But if you are maybe interested in learning about the organizations, that if you have information you would want to share, you should download Tor Browser and then go to secure drop.org slash directory to get a list of many of them.
Tobias Macey
0:36:27
All right? Well, for anybody who wants to get in touch with either of you or follow along with the work that you're doing, I'll have you each add your preferred contact information to the show notes. And so with that, I'll move us into the pics. And this week, I'm going to choose laser tag because I got to hang out with my kids yesterday and some of their friends and our friends. And we all had a lot of fun playing laser tag together. So it's not something I've really done in the past but turned out to be quite enjoyable. So if you're looking for something to get up and move around and have fun doing it, it's worth taking a look at that. And with that option TL Do you have any pics this week?
Kushal Das
0:37:02
Oh, I'm actually waiting for not not for this week, but within few weeks, like Edward Snowden book is coming out, so I'm just waiting for that.
Tobias Macey
0:37:11
All right, and Jen, do you have any pics this week?
Jen Helsby
0:37:13
Do I have any pics? Huh? I'm racking my brain. I don't know that I do. But I will definitely check out Edward Snowden spark released September 17.
Tobias Macey
0:37:23
Alright, well, thank you both for taking the time today to join me and discuss your work on secure drop. It's definitely an interesting project and an interesting problem space. So I appreciate your efforts on that and I hope you enjoy. I hope you enjoy the rest of your day.
Unknown
0:37:36
Thank you. Thanks, Tobias.
Tobias Macey
0:37:40
Thank you for listening. Don't forget to check out our other show the data engineering podcast at data engineering podcast com for the latest on modern data management. And visit the site at Python podcasts. com to subscribe to the show, sign up for the mailing list and read the show notes. If you've learned something or tried out a project from the show, then tell us about it. Female host said podcast and a.com with your story.
Unknown
0:38:03
To help other people find the show. Please
Tobias Macey
0:38:05
leave a review on iTunes and tell your friends and coworkers