🆕 Software Suggestion | SecureDrop in File Sharing #1691

New Issue

jonah · 2020-02-04T00:30:03Z

lrq3000 commented

2020-02-04 00:30:03 +00:00

(Migrated from github.com)

Basic Information

Name: SecureDrop
Category: File Sharing
URL: https://securedrop.org/ (sourcecode, list of instances)

Description

SecureDrop is an open-source whistleblower submission system on a Tails LiveCD that media organizations can install to securely accept documents from anonymous sources. It forces good practices such as Tor connection to avoid logging IP addresses and metadata, and the use of an air-gapped computer to decrypt received files.

Why I am making the suggestion

Probably the most secure way to receive files. I am not sure it's should be recommended (because it is complicated to use), but it's at least worth mentioning I think.

I suggest to move from More Privacy Resources#Tools to the File Sharing category, or to copy, because it's not only a service provided online but also a software anyone can use to create a sort of secure dropbox-like system.

My connection with the software

None, just (re-)discovered it after reading a post comparing it with OnionShare.

I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

## Basic Information **Name:** SecureDrop **Category:** File Sharing **URL:** https://securedrop.org/ ([sourcecode](https://github.com/freedomofpress/securedrop), [list of instances](https://securedrop.org/directory/)) ## Description SecureDrop is an open-source whistleblower submission system on a Tails LiveCD that media organizations can install to securely accept documents from anonymous sources. It forces good practices such as Tor connection to avoid logging IP addresses and metadata, and the use of an air-gapped computer to decrypt received files. ## Why I am making the suggestion  Probably the most secure way to receive files. I am not sure it's should be recommended (because it is complicated to use), but it's at least worth mentioning I think. I suggest to move from [More Privacy Resources#Tools](https://github.com/privacytoolsIO/privacytools.io/blob/56cd51bd5aa1be5feaf2f383e6cb9a6320c8ed18/_includes/sections/privacy-resources.html) to the File Sharing category, or to copy, because it's not only a service provided online but also a software anyone can use to create a sort of secure dropbox-like system. ## My connection with the software  None, just (re-)discovered it after reading a post [comparing it with OnionShare](https://micahflee.com/2019/02/onionshare-2/). - [x] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

Mikaela commented

2020-02-04 13:15:56 +00:00

(Migrated from github.com)

I am not certain where this should be as it's more of organisation facing tool alongside with the team chat section, but I guess it can also be a way for familly tech person to receive photo album securely without having to setup new OnionShare every time?

I haven't ever looked into SecureDrop in greater detail.

I am not certain where this should be as it's more of organisation facing tool alongside with the team chat section, but I guess it can also be a way for familly tech person to receive photo album securely without having to setup new OnionShare every time? I haven't ever looked into SecureDrop in greater detail.

lrq3000 commented

2020-02-04 23:16:44 +00:00

(Migrated from github.com)

Actually OnionShare has a public mode option (no login and no bruteforce
protection) and also a persistent mode option (can relaunch and reuse same
address as before) which allows to use it as a server.

SecureDrop is just in the same idea, a tool to easily setup a tor onion
node to receive files, but it takes security a step further by running in a
livecd and requiring that data decryption of received files be done on an
air-gapped computer (i did not test yet but i thing you can reuse the same
livecd on another computer, it should offer a special "decryption mode" on
startup that cuts internet off).

So yes although SecureDrop is targeted at organizations, it can be run by
anyone who can burn and boot a livecd, and is the most secure way to
receive files, so anyone can use it for whatever purpose they want (such as
family photos as you say).

Le mar. 4 févr. 2020 à 14:15, Mikaela Suomalainen notifications@github.com
a écrit :

I am not certain where this should be as it's more of organisation facing
tool alongside with the team chat section, but I guess it can also be a way
for familly tech person to receive photo album securely without having to
setup new OnionShare every time?

I haven't ever looked into SecureDrop in greater detail.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/privacytoolsIO/privacytools.io/issues/1691?email_source=notifications&email_token=AAIRFXWALWCQPJLMBGYDY7TRBFTAZA5CNFSM4KPON6GKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKXSQGQ#issuecomment-581904410,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAIRFXVNIUW72TWCTYGHAYLRBFTAZANCNFSM4KPON6GA
.

Actually OnionShare has a public mode option (no login and no bruteforce protection) and also a persistent mode option (can relaunch and reuse same address as before) which allows to use it as a server. SecureDrop is just in the same idea, a tool to easily setup a tor onion node to receive files, but it takes security a step further by running in a livecd and requiring that data decryption of received files be done on an air-gapped computer (i did not test yet but i thing you can reuse the same livecd on another computer, it should offer a special "decryption mode" on startup that cuts internet off). So yes although SecureDrop is targeted at organizations, it can be run by anyone who can burn and boot a livecd, and is the most secure way to receive files, so anyone can use it for whatever purpose they want (such as family photos as you say). Le mar. 4 févr. 2020 à 14:15, Mikaela Suomalainen <notifications@github.com> a écrit : > I am not certain where this should be as it's more of organisation facing > tool alongside with the team chat section, but I guess it can also be a way > for familly tech person to receive photo album securely without having to > setup new OnionShare every time? > > I haven't ever looked into SecureDrop in greater detail. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/privacytoolsIO/privacytools.io/issues/1691?email_source=notifications&email_token=AAIRFXWALWCQPJLMBGYDY7TRBFTAZA5CNFSM4KPON6GKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKXSQGQ#issuecomment-581904410>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAIRFXVNIUW72TWCTYGHAYLRBFTAZANCNFSM4KPON6GA> > . >

jonah commented

2020-02-18 04:27:47 +00:00

Foreword: I did not write this reply, nor have I even read or reviewed anything stated below 😅 The following was written by @-____:privacytools.io in #general:privacytools.io.

🚫 I oppose the inclusion of SecureDrop.

Abstract

SecureDrop is more suited for organizations, such as media presses to receive materials provided by whistleblowers, rather than individuals to transfer photos from phones to laptops. PrivacyTools aims at provide more specific suggestions to "normal" people rather than, say, next Edward Snowden or an independent journalist in Syria wanted by the government. Therefore, PrivacyTools should not add SecureDrop, in my opinion.

Reasons

SecureDrop is not intended for personal use

SecureDrop [1] is a file sharing program, aimed at providing a secure submission system for whistleblowers to provide documents securely and anonymously. As its official website says,

SecureDrop is an open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources. [2]

Therefore, although it's viable to "be run by anyone who can burn and boot a livecd", such uses are not supported by the official developers and may not be a good idea.

Actual use cases of SecureDrop are also mostly by news organizations, such as The New York Times [3] and The Guardian [4], and NGOs, rather than individuals.

The poster also mentioned OnionShare [5], however, OnionShare is intended for personal use as well. [6]

SecureDrop is not suited for personal use

The strength of SecureDrop not only comes from its software design, but also the security of servers. Most media organizations that use SecureDrop, for example, physically own their servers [7] and put them at very secure places, such as bunkers. Such condition would be tedious for personal use.

Besides, the poster said

SecureDrop is just in the same idea, a tool to easily setup a tor onion
node to receive files, but it takes security a step further by running in a
livecd and requiring that data decryption of received files be done on an
air-gapped computer

This is not completely true. As the official website of SecureDrop said,

Because the installation and operation are complex, and because SecureDrop can only be as secure as the operational security practices followed by its users, Freedom of the Press Foundation will also help organizations install SecureDrop and train journalists and administrators.

The installation of SecureDrop is not easy, and it requires continuous complicated maintenance, or its security would be compromised. It is unrealistic, if not impossible, for an individual to do such time-consuming and complicated work.

While SecureDrop still works without such fine caring, its security would be largely reduced. As the essence of SecureDrop is to provide a very secure platform, this defeats the whole purpose of it.

To summarize, SecureDrop is 1) not intended for personal use and 2) not suited for personal use.

PrivacyTools recommends software and services for personal use

Privacy-loving people can range from a "normal" person just not wanting to have their data collected by Google or Facebook to Edward Snowden or other whistleblowers, and PrivacyTools aims at providing specific information to the former, rather than the latter. Therefore, PrivacyTools should recommend software that most people can use in their daily lives conveniently and privately, rather than software like SecureDrop, which are dedicated for special use cases.

Conclusion

PrivacyTools should not add SecureDrop.

The post is hereby released using the CC0 license. The author waives all copyrights and neighbouring rights to the extent possible under laws.

References

[1] https://securedrop.org
[2] ibid.
[3] https://www.nytimes.com/tips
[4] https://www.theguardian.com/securedrop
[5] https://onionshare.org/
[6] https://github.com/micahflee/onionshare/wiki
[7] E.g. The SecureDrop servers are under the physical control of The New York Times., see [5]

_**Foreword**: I did not write this reply, nor have I even read or reviewed anything stated below 😅 The following was written by `@-____:privacytools.io` in `#general:privacytools.io`._ --- 🚫 I *oppose* the inclusion of SecureDrop. ## Abstract SecureDrop is more suited for organizations, such as media presses to receive materials provided by whistleblowers, rather than individuals to transfer photos from phones to laptops. PrivacyTools aims at provide more specific suggestions to "normal" people rather than, say, next Edward Snowden or an independent journalist in Syria wanted by the government. Therefore, PrivacyTools should not add SecureDrop, in my opinion. ## Reasons ### SecureDrop is not *intended* for personal use SecureDrop [1] is a file sharing program, aimed at providing a secure submission system for whistleblowers to provide documents securely and anonymously. As its official website says, > SecureDrop is an open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources. [2] Therefore, although it's viable to "be run by anyone who can burn and boot a livecd", such uses are not supported by the official developers and may not be a good idea. Actual use cases of SecureDrop are also mostly by news organizations, such as *The New York Times* [3] and *The Guardian* [4], and NGOs, rather than individuals. The poster also mentioned OnionShare [5], however, OnionShare is intended for personal use as well. [6] ### SecureDrop is not *suited* for personal use The strength of SecureDrop not only comes from its software design, but also the security of servers. Most media organizations that use SecureDrop, for example, physically own their servers [7] and put them at very secure places, such as bunkers. Such condition would be tedious for personal use. Besides, the poster said > SecureDrop is just in the same idea, a tool to easily setup a tor onion node to receive files, but it takes security a step further by running in a livecd and requiring that data decryption of received files be done on an air-gapped computer This is not completely true. As the official website of SecureDrop said, > Because the installation and operation are complex, and because SecureDrop can only be as secure as the operational security practices followed by its users, Freedom of the Press Foundation will also help organizations install SecureDrop and train journalists and administrators. The installation of SecureDrop is not easy, and it requires continuous complicated maintenance, or its security would be compromised. It is unrealistic, if not impossible, for an individual to do such time-consuming and complicated work. While SecureDrop still works without such fine caring, its security would be largely reduced. As the essence of SecureDrop is to provide a *very* secure platform, this defeats the whole purpose of it. To summarize, SecureDrop is 1) not intended for personal use and 2) not suited for personal use. ### PrivacyTools recommends software and services for personal use Privacy-loving people can range from a "normal" person just not wanting to have their data collected by Google or Facebook to Edward Snowden or other whistleblowers, and PrivacyTools aims at providing specific information to the former, rather than the latter. Therefore, PrivacyTools should recommend software that most people can use in their daily lives conveniently and privately, rather than software like SecureDrop, which are dedicated for special use cases. ## Conclusion PrivacyTools should not add SecureDrop. -------- The post is hereby released using the CC0 license. The author waives all copyrights and neighbouring rights to the extent possible under laws. References [1] https://securedrop.org [2] ibid. [3] https://www.nytimes.com/tips [4] https://www.theguardian.com/securedrop [5] https://onionshare.org/ [6] https://github.com/micahflee/onionshare/wiki [7] E.g. *The SecureDrop servers are under the physical control of The New York Times.*, see [5]

👍 1

blacklight447 commented

2020-03-02 11:06:20 +00:00

(Migrated from github.com)

As we are mostly focused on things common users should use instead of full organizations, it its probbaly a better choice to not list securedrop.

👍 1

This repo is archived. You cannot comment on issues.