🆕 Software Suggestion | SecureDrop in File Sharing #1691
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1691
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Basic Information
Name: SecureDrop
Category: File Sharing
URL: https://securedrop.org/ (sourcecode, list of instances)
Description
SecureDrop is an open-source whistleblower submission system on a Tails LiveCD that media organizations can install to securely accept documents from anonymous sources. It forces good practices such as Tor connection to avoid logging IP addresses and metadata, and the use of an air-gapped computer to decrypt received files.
Why I am making the suggestion
Probably the most secure way to receive files. I am not sure it's should be recommended (because it is complicated to use), but it's at least worth mentioning I think.
I suggest to move from More Privacy Resources#Tools to the File Sharing category, or to copy, because it's not only a service provided online but also a software anyone can use to create a sort of secure dropbox-like system.
My connection with the software
None, just (re-)discovered it after reading a post comparing it with OnionShare.
I am not certain where this should be as it's more of organisation facing tool alongside with the team chat section, but I guess it can also be a way for familly tech person to receive photo album securely without having to setup new OnionShare every time?
I haven't ever looked into SecureDrop in greater detail.
Actually OnionShare has a public mode option (no login and no bruteforce
protection) and also a persistent mode option (can relaunch and reuse same
address as before) which allows to use it as a server.
SecureDrop is just in the same idea, a tool to easily setup a tor onion
node to receive files, but it takes security a step further by running in a
livecd and requiring that data decryption of received files be done on an
air-gapped computer (i did not test yet but i thing you can reuse the same
livecd on another computer, it should offer a special "decryption mode" on
startup that cuts internet off).
So yes although SecureDrop is targeted at organizations, it can be run by
anyone who can burn and boot a livecd, and is the most secure way to
receive files, so anyone can use it for whatever purpose they want (such as
family photos as you say).
Le mar. 4 févr. 2020 à 14:15, Mikaela Suomalainen notifications@github.com
a écrit :
Foreword: I did not write this reply, nor have I even read or reviewed anything stated below 😅 The following was written by
@-____:privacytools.io
in#general:privacytools.io
.🚫 I oppose the inclusion of SecureDrop.
Abstract
SecureDrop is more suited for organizations, such as media presses to receive materials provided by whistleblowers, rather than individuals to transfer photos from phones to laptops. PrivacyTools aims at provide more specific suggestions to "normal" people rather than, say, next Edward Snowden or an independent journalist in Syria wanted by the government. Therefore, PrivacyTools should not add SecureDrop, in my opinion.
Reasons
SecureDrop is not intended for personal use
SecureDrop [1] is a file sharing program, aimed at providing a secure submission system for whistleblowers to provide documents securely and anonymously. As its official website says,
Therefore, although it's viable to "be run by anyone who can burn and boot a livecd", such uses are not supported by the official developers and may not be a good idea.
Actual use cases of SecureDrop are also mostly by news organizations, such as The New York Times [3] and The Guardian [4], and NGOs, rather than individuals.
The poster also mentioned OnionShare [5], however, OnionShare is intended for personal use as well. [6]
SecureDrop is not suited for personal use
The strength of SecureDrop not only comes from its software design, but also the security of servers. Most media organizations that use SecureDrop, for example, physically own their servers [7] and put them at very secure places, such as bunkers. Such condition would be tedious for personal use.
Besides, the poster said
This is not completely true. As the official website of SecureDrop said,
The installation of SecureDrop is not easy, and it requires continuous complicated maintenance, or its security would be compromised. It is unrealistic, if not impossible, for an individual to do such time-consuming and complicated work.
While SecureDrop still works without such fine caring, its security would be largely reduced. As the essence of SecureDrop is to provide a very secure platform, this defeats the whole purpose of it.
To summarize, SecureDrop is 1) not intended for personal use and 2) not suited for personal use.
PrivacyTools recommends software and services for personal use
Privacy-loving people can range from a "normal" person just not wanting to have their data collected by Google or Facebook to Edward Snowden or other whistleblowers, and PrivacyTools aims at providing specific information to the former, rather than the latter. Therefore, PrivacyTools should recommend software that most people can use in their daily lives conveniently and privately, rather than software like SecureDrop, which are dedicated for special use cases.
Conclusion
PrivacyTools should not add SecureDrop.
The post is hereby released using the CC0 license. The author waives all copyrights and neighbouring rights to the extent possible under laws.
References
[1] https://securedrop.org
[2] ibid.
[3] https://www.nytimes.com/tips
[4] https://www.theguardian.com/securedrop
[5] https://onionshare.org/
[6] https://github.com/micahflee/onionshare/wiki
[7] E.g. The SecureDrop servers are under the physical control of The New York Times., see [5]
As we are mostly focused on things common users should use instead of full organizations, it its probbaly a better choice to not list securedrop.