"The conclusion of our analysis is that many of the technical properties of DeadDrop are decent;
however, we do not believe that DeadDrop is yet ready for deployment in an ecosystem with
nation-state capable adversaries and non-expert users. The lack of software versioning,
reliance on VPN, the errors in the installation and deployment documentation, leaking of
document metadata, and lack of anonymity best practices all contribute to our reluctance for
suggesting that DeadDrop is ready for mass deployment.
Additionally, the usability of the system is sometimes lacking, potentially leading to insecure use.
For example, DeadDrop requires a fair amount of technical sophistication on behalf of
journalists (such as being able to use the GPG encryption software)6 and sources (such as
being able to sanitize the metadata in the submitted documents). We believe that this lack of
usability may lead to failures in anonymization. We enumerate the usability pitfalls we found, as
well as suggested remediation approaches in our report."
[Speaking as a contributor to the project] We tried to fix as many of the security issues in that audit as we could before the 0.1 release, but we think that the project could be redesigned to be more usable. Pull requests are welcome! You can see some of the more pressing issues at https://github.com/freedomofpress/securedrop/issues?mileston....
It'd be nice to hear some kind of numbers of whether it got much use at the New Yorker, and what kind of hang ups they ran into. Aaron was a great person and the kind of civic coder we need more of, but that doesn't mean he was an immaculate expert at coding interfaces (both graphical and conceptual), and the accessibility of this application is key. Accessibility, besides cryptographic soundness, is probably the most important feature...its side effect is adaptability, and while such an app is bound to have a small niche, it needs active users and maintainers...Even the Tor Firefox browser fails without proper updates
According to the New Yorker, they received the documents but did not respond because they mistook them for input generated by their own internal tests. See [1], linked from [2]
> Since then, the application has gone through an extensive security audit led by a team at the University of Washington, which also included input from noted information security experts Bruce Schneier and Jacob Appelbaum.
I bet this is like that time Jake was in the room when a bunch of Europeans cracked the PKI and he made sure to get his name on the list.
Seeing him listed next to people who actually know what they're doing is a sad testament to his ability to play the media.
SF folks who want to contribute to SecureDrop: we're having a SecureDrop hackathon as part of the Aaron Swartz Memorial Hackathon series Nov. 8-10: http://aaronswartzhackathon.org/
The event kicks off at Internet Archive on Friday night, and will be at Noisebridge all weekend after that.
Once a reporter has taken possession/responsibility for your communication, do your future communications still end up in the general bucket, or can they be restricted only to that reporter?
At the moment, the design is such that there is a single "master" public key for each Securedrop installation that all submissions are encrypted with. The journalists are advised to download the encrypted submissions, transfer them to the airgapped Viewing Station, decrypt them with the "master" private key (which is only stored there), and then optionally re-encrypt them to their personal public key if they want to transfer them to their personal workstations.
It would certainly be possible for this process to be automated with some additions to the journalist backend, and in that case once a journalist had taken responsibility for a particular source's communications, further communications could be restricted for their eyes only.
Thanks for the info! I imagine that for people reaching out who may need to establish an ongoing, anonymous, relationship with a reporter, the ability to use the same system the reporter is familiar with, but know that it will only be them viewing it, might be a useful feature.
Just wondering how its secure, and anonymous when every meta/sub/unknown/etc...particle(WIMPs/etc..) is monitored in (more then[future analysis through simulation])real-time for each individual entity in/out-of existence.
My attempt at a translation: I wonder how secure and anonymous it can be, when it seems that everything, maybe even subatomic particles, are monitored in real time. (And people are possibly using simulations to predict the future?)
"The conclusion of our analysis is that many of the technical properties of DeadDrop are decent; however, we do not believe that DeadDrop is yet ready for deployment in an ecosystem with nation-state capable adversaries and non-expert users. The lack of software versioning, reliance on VPN, the errors in the installation and deployment documentation, leaking of document metadata, and lack of anonymity best practices all contribute to our reluctance for suggesting that DeadDrop is ready for mass deployment.
Additionally, the usability of the system is sometimes lacking, potentially leading to insecure use. For example, DeadDrop requires a fair amount of technical sophistication on behalf of journalists (such as being able to use the GPG encryption software)6 and sources (such as being able to sanitize the metadata in the submitted documents). We believe that this lack of usability may lead to failures in anonymization. We enumerate the usability pitfalls we found, as well as suggested remediation approaches in our report."