SecureDrop

from Wikipedia, the free encyclopedia
SecureDrop

SecureDrop logo
Screenshot of the SecureDrop view for whistleblowers.
Screenshot of the view for whistleblowers.
Basic data

Maintainer Freedom of the Press Foundation
developer Aaron Swartz , Freedom of the Press Foundation , Kevin Poulsen , James Dolan
Publishing year 2013
Current  version 0.3.10
(October 25, 2016)
operating system Linux , Tails
programming language Shell, Python
License AGPL
German speaking No
securedrop.org

Gate : secrdrop5wyphb5x.onion

Securedrop ( English , safely ball ') is a free platform for the secure communication between journalists and whistleblowers . The web application was originally developed under the name DeadDrop by Aaron Swartz and Kevin Poulsen .

The first instance of the platform was launched on May 14, 2013 under the name Strongbox by The New Yorker . After the death of Aaron Swartz, the project was taken over by the Freedom of the Press Foundation in October 2013 and continued under the name SecureDrop. There are now installations by various organizations, including The Guardian , The Washington Post , The Intercept , the Süddeutsche Zeitung and Heise-Verlag .

In 2016 SecureDrop received the FSF Award .

safety

SecureDrop uses the Tor network for anonymization; secure communication between whistleblowers and journalists should be enabled. SecureDrop installations can therefore only be reached as hidden services of the Tor network with an .onion address. When the sensitive documents are uploaded, the whistleblower is assigned a randomly generated code name. With this, the journalists can leave messages for the whistleblower. The messages can only be retrieved through SecureDrop and with the correct code name.

Audits

Before the release of each major version, a security audit is carried out by an external team of experts that changes each time .

In August 2013, the first security audit was carried out by a team from the University of Washington , which included Bruce Schneier and Jacob Appelbaum . They found SecureDrop to be a technically decent system, but criticized the technical competence that journalists assume. Errors in the use of journalists could compromise the anonymity of the sources.

The source code of version 0.2.1 was checked by the Berlin security company Cure53 before it was released. The summary of the penetration test report stated that no critical errors were found. In addition, SecureDrop is described as a well-secured application with few potential for attack.

Before the release of version 0.3, a security audit was also carried out by the security company iSECpartners, under the direction of Valentin Leon and Jonathan Chittenden. Two vulnerabilities were discovered, which were classified as "difficult to exploit" and were corrected before publication. None of the vulnerabilities discovered were classified as critical.

functionality

The provided documents are encrypted with OpenPGP and transferred to a separate mirror server . Journalists access the server with a connection through the Tor network and save the encrypted documents on a USB memory stick . A computer disconnected from the Internet starts up with a Live CD ; before each use, all data is completely deleted from this computer. The required decryption keys are stored on another USB flash drive. The documents can now be decrypted and prepared for publication.

Web links

swell

  1. github.com .
  2. freedom.press .
  3. freedom.press . (accessed January 30, 2015).
  4. ^ A b c Freedom of the Press Foundation : SecureDrop. Retrieved July 31, 2014 .
  5. ^ The Official SecureDrop Directory . Freedom of the Press Foundation. Retrieved January 29, 2017.
  6. ^ A b c Michael Kassner: Aaron Swartz legacy lives on with New Yorker's Strongbox: How it works. TechRepublic , May 20, 2013, accessed July 31, 2014 .
  7. a b c Amy Davidson : Introducing Strongbox. The New Yorker , May 14, 2013, accessed July 31, 2014 .
  8. ^ Freedom of the Press Foundation: The Official SecureDrop Directory. (No longer available online.) Archived from the original on January 2, 2015 ; accessed on July 31, 2014 (English). Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / freedom.press
  9. James Ball : Guardian launches SecureDrop system for whistleblowers to share files. The Guardian , June 5, 2014, accessed July 31, 2014 .
  10. ^ Washington Post: Q&A about SecureDrop on The Washington Post. Washington Post , June 5, 2014, accessed September 12, 2014 .
  11. Micah Lee , How to Securely Contact The Intercept. The Intercept , February 3, 2014, accessed July 31, 2014 .
  12. Christopher Ophoven: Investigative Journalism - The Insecure Communication with Anonymous Sources. In: Deutschlandfunk . Retrieved on March 28, 2019 (German).
  13. How to reach us safely. In: Süddeutsche Zeitung. Retrieved March 28, 2019 .
  14. Jürgen Schmidt: Heise opens disclosure platform heise Tippgeber . heise.de. August 5, 2016. Accessed on March 26, 2017: “The secure mailbox is based on the Freedom of the Press Foundation's Secure Drop open source project, which was specially designed for such purposes and which heise Security has adapted for everyday editorial use . [...] heise Tippgeber is the first major German Internet service to offer an anonymous mailbox based on Secure Drop. "
  15. Jürgen Schmidt: Simple / safe. Behind the scenes of heise Tippgeber . In: c't (Heise-Verlag) . No. 17, 2016, pp. 130-132.
  16. ^ A b Garret Robinson: Announcing the new version of SecureDrop, with the results from our third security audit. (No longer available online.) March 23, 2015, archived from the original on March 23, 2015 ; accessed on March 23, 2015 (English). Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / freedom.press
  17. Alexei Czeskis, David Mah, Omar Sandoval, Ian Smith, Karl Koscher, Jacob Appelbaum, Tadayoshi Kohno, Bruce Schneier: DeadDrop / StrongBox Security Assessment. (PDF) University of Washington , August 11, 2013, p. 20 , accessed on August 4, 2014 .
  18. Garrett Robinson: 0.2.1 Released! Retrieved July 31, 2014 .
  19. Dr.-Ing. Mario Heiderich, Nikolai K., Fabian Fäßler: Pentest-Report SecureDrop 12.2013. (PDF) Cure53 , December 2013, p. 14 , accessed on August 4, 2014 (English).