 Hey chaos west People we're now ready to perform our next talk hand it in by freedom of press three Amazing people will explain everything you want to know about that and I will just hand over to Freddy Thank you very much Go ahead Good afternoon. Thank you for coming I am just going to quickly introduce two of our amazing hackers Loic Dakarie and Eric Hartzucker Hartz Fiker and They will be talking about secure drop secure drop is a software platform that is maintained by freedom of the press foundation it is a hardened whistle-blowing platform so it Yeah, so we'll be talking about whistle-blowing and Just the project so I will hand it off to them cool, so this is going to be more of a high-level talk on secure drop in its architecture and its use cases and at the end we'll have a Q&A session where you can ask us Implementation questions about how we made certain decisions what the threat model is and whatnot so Start off with something a bit more high level cool, so yeah what you'll leave with is we're going to explain sort of the basics of What journalists have to deal with and how sources have to try to keep themselves anonymous in the modern world when it comes to leaking documents or even Just anonymously submitting tips to journalists We're also going to give a more high-level overview of the architecture and We are an open-source project and there's lots of ways to contribute so we're going to discuss some of those things at the end and We also as the freedom of the press foundation will be discussing the future of how the American organization will be moving into Europe to sort of help with press freedom issues that Europeans face So you guys might recognize some of these people Jeremy Hammond Chelsea Manning Edwards-Nodin as people who have leaked documents to Sort of change the world and dramatic or less dramatic ways pan you see it and It's important that people are able to continue to leak classified information in a way that they that keeps them safe Unfortunately, that doesn't seem to be the reality of this. No pun intended That we cannot provide safety in all times or anonymity to sources so It's supposed to be a video, but I guess not in the past there was possible for Journalists to just not say who their source was and that was sufficient to protect someone's anonymity With the rise of global surveillance. That's actually not possible anymore. We know that metadata can tie individuals to each other and so if a new story breaks The government can go back and look at who contacted journalists when that happened and then build a case to identify Which person was the source so even if a journalist refuses to testify in court either through You know parallel construction or whatever other techniques they choose to use It is not possible in every case the way it used to be for a journalist to protect a source so Man Anyways, these slides are out of order was getting at is secure drop restores the possibility for journalists to do through non-compliance Something to protect the anonymity of their sources. So we have an architecture that Primarily relies on using the Tor network to anonymize metadata and we encrypt The data as it transits to and from the servers and on the servers and we aim to minimize anything We log on the servers such as Apache access logs or timestamps on files on the file system or To from you know, not log user IDs and whatnot And we know this is a problem because we've seen current government administrations do Make active efforts to DNMI sources and to go through records and to do sort of active spying on news organizations so again, what secure job does is it is physical servers that we expect each news organizations to buy and set up in their property so that they have complete control of the hardware and they know what's happening them. We actually usually ask them to put the Physical servers and the firewalls inside their newsroom in a high-traffic area where they will always be people around it Which makes it less likely that somebody walks into a supply closet Unplugs it or sticks in a bad USB and breaks everything This also is very important because if you say used Amazon and tossed your stuff in the cloud You would now have all of your Encryption keys in the cloud you would know that somebody could steal your onion onion address private key somebody could look at the network traffic unencrypted and Or they could just grab the entire hard drive out of there and you as a Administrator of a secure drop instance would not know that happened. So it's very important that we have these physically located in the newsrooms because of the nature of how onion services work that we do get end-to-end encryption from the sources tour browser to the journalists secure drop instance and it is possible also we Advertise the journalist public key on secure drop. So if a user is more tech savvy, they could Encrypt the documents or messages locally then send them through To get guaranteed end-to-end encryption from the source all the way to the journalists including through the secure drop servers themselves If somebody is not tech savvy enough to set this up when the files are streamed in or the data streamed in we run it through GPG and write the files to disk encrypted so that they never are written to disk in an unencrypted state and Again, this is being quite paranoid We expect it to not be the case that somebody will physically come into the office and take the hard drives out But that does happen. So for example, it was the Guardian after the Snowden leaks actually had GHCQ come into their offices and raid their Offices and forced them to destroy their hard drives. So it is a real risk even in what we think to be a more democratic Western society Again as mentioned through using tour and Careful being careful what we log and not using, you know User names that users can choose themselves and assigning them random user names we minimize the possibility that metadata will de-anonymize them even if the documents themselves would not and This is all again wrapped on top of a relatively hardened Linux installation So we take base Ubuntu and we install a whole bunch of packages to help minimize The possibility that gets hacked So one of the big ones we use is we use GR security and packs control to try to restrict The processes themselves so that If somebody is able to get a small amount of exploit we limit the damage or possibly keep it isolated to just a single process and another thing we think is very important about Building secure software is being free liberate open source so that you yourself could take this and you can modify it If you believe you have more expertise than we do we also have It's bug bounty is a bug bounty program so you can look at the source code You can set secure drop-up yourself in a virtual machine. You can test it You can exploit it if you think you can and we will work with you to Make changes to help ensure other people's security And like a brief history of secure drop how it came into existence also It was started by the late Aaron Swartz in 2012 with Kevin Paulson from wire wired yep, and there's a project they worked on together and it was first installed Back then with only single news organization it was released under the AGPL license and It's currently maintained by nine of us plus various members of the community former contributors Still you come back former employees from the FPF sometimes come back and we have hackathon some weekends And so there actually are like possibly another hundred contributors we could put up there But this is the core team and these two guys down here who are on stage a second ago are also major contributors to this So and these are definitely out of order anyways Way back when the New Yorker was the first news organization to install this and now we have something like 80 installations of it We have a whole bunch in the US a handful of startup here in Europe. We in Germany Heise Yeah, Heise is the only news organization in Germany that has a secure drop instance and We're hoping to expand that and get more news organizations using this because we really do believe It's one of very few number of tools that can actually protect sources who are engaging and whistle-blowing So this goes back to another problem, so this is a very technical very Hackerly Linux-y fun project But the average person working for a government agency might not have the ability to just spontaneously stumble across this so we encourage news organizations to Advertise this themselves in different ways. So sometimes it's simple Oh Man bad formatting. Anyways, you can see down here. It says secure drop on the bottom It's the front page of their newspaper. They list a link to their onion address and Or say a list of their landing page which explains how to download Tor browser how to find Like verify it how to get to get the onion address in there and why it needs to be used the way it is It also usually list their public key Bad formatting Sometimes also they will take out ads in the physical papers or they'll put ads on social media and Again, this is the intercept. This is their main page of a link to become a source down at the bottom And this is an example landing page explaining how to get Tor browser how secure drop works and sometimes we'll even link to May documentation about The basics of using it or they'll have some screen shots showing them what to expect before they really get into this process and One thing that's important about this is the idea of maybe call it herd immunity So if you have one source and that is the only person using Tor in a given city It's pretty obvious that if a leak comes out of that city and it went to secure drop It happened from that one person. So it actually is very important that all of you using You know reddit or Whatever stack overflow actually use Tor browser for this because your traffic hides other people's traffic And so the more people who use Tor daily the more like the less likely it is that somebody who's using Tor for something like Leaking or has a very strong need for anonymity It's less likely they'll get caught. So very much encourage you to use Tor day-to-day If you can So now a little bit more into how secure drop actually works so we start off setting up a server behind a firewall and a news organization and This server only runs as an onion service We eat the firewall blocks off all incoming traffic and we expect a source to connect to it through the network the source will take some documents or some messages and and Man the land on the page they will see this is roughly what the landing page looks like these days and They have the opportunity to submit documents. They will be assigned a random codename This codename will allow them to log back in in the future and it moves the Tor network with and an encryption through onion services To the secure drop server secure drop server encrypts them with PGP and then stashes them for later and notifies the journalists Cool, so the way the journalists to get this stuff back is the journalists will then Using a tails based system will log in to a journalist interface and see a list of See a list of sources sources are assigned a random adjective random noun username so that this the journalists can keep track of who they are and You know for sharing with other journalists when they get these documents they will download the documents to and external USB transfer this external USB to an air-gapped laptop that contains the private keys and The private keys can then decrypt the devices so Like this whole air gap process is itself a little bit cumbersome But it does provide an extra layer of security and we figure since the kind of documents secure drop specifically tries to protect our classified information government leaks interests of potential national impact and if those are the documents you're leaking and those are the adversaries you have you can assume that they do have the capability to Break a lot of the things that we have hardened against in ways that we haven't yet discovered through zero-day exploits and whatnot so by taking the Private key information and air-gapping it and trying to encourage like good practices with how we transfer documents off of the Machines that connect to the internet on to the air gap devices It does help minimize the possibility of exfiltrating data specifically the private keys or any way of deanomizing users Yep, we covered all that Okay Think that covers the actual leaking step so this is the current architecture diagram of How a secure job works and you can see that it is kind of complicated so it can a source up in the top left will We the doc leak the document down to application servers the application server is monitored by a monitoring server that Does OSSEC checks against it for integrity to try to it alert administrators and journalists if there's been a breach Then the journalists downloads again back to the Toro network using another onion service puts on USB transfers it to the offline air gaps thing and then from there will work on publishing it if they verify the documents are Something worth investigating so this is kind of messy and it's something we're trying to work on the future We do have a lot of work of going into this for switching to cubes So if cubes interest you we have a lot of work on that and some of the guys down the front can talk to you about this after this presentation Yes, again, how you can help so one thing that has been really important the last year is Loic has been at the spearhead on localizing secure drop so for From 2012 until about maybe midway through this year. We only had English as the single language now We have fully translated Arabic German Norwegian French Chinese What else? Okay, there's only Spanish yeah, there's a lot and we have partial translations for a lot of these This is actually one of the easiest ways to contribute there's a very nice web interface and you can just go in and if you speak any languages besides English you can Will present you a string it will say like hello, welcome to search secure drop and then you just type in the exact same string in your native language It's extremely simple and it's you know Pretty low workload if you're interested in doing this So if you would like to talk to us about localization afterwards. Yes, really we're very interested in that We've been working with localization lab so if anybody from localization lab is here No, yeah, awesome. Great They said thank you for your assistance. We this is something that we've struggled with for a long time I would like very very appreciative of the help again out of order slides so the other major ways to help with secure drop is with documentation to help journalists understand how to use it and how to help Server administrators set this up because currently the install process Does includes configuring firewalls doing manual Linux configuration running a bunch of ansible scripts and whatnot and Can't be complicated. So if you are a technical rider, we would love assistance with that as well and Yeah, in general just get in touch it like this is something that's very welcoming of the community so I'm gonna pass this off to Loic right now He's gonna talk a bit about the freedom of press foundation in Europe and sort of yeah Yep so There has been questions about Why secure drop is necessary instead of having just an HTTPS to leak information and The gist of it is that you need to leak classified information And the reason is when you work when there is a country with an intelligence agency There cannot be any oversight body a Lot of countries have oversight bodies, but they are a joke. It's they are appointed by the government To oversee the intelligence agency, which is appointed by the government. So it's the right hand Controlling the left hand. It does not work The only way it works is when employees or contractors of the intelligence agencies Are courageous enough to leak information when they witness something that goes against the general public interest and Since they are the only control mechanism They need to exist now and for a very very long time It's not like it's a pirate thing to do illegal thing to do the Lawmakers agree that you need that kind of control And that there is no other way to the point that a coalition of non-profit organization Went together and in 2013 published the Schwann principles Which explain why? Leaking a classified documents classified information in the context of national security is needed But it's not just a group of NGO who did that It's also the council of Europe who supports these documents and So they carry some weight You can hope that one day we will have directives protecting whistleblowers But unfortunately, it's still being discussed now as you may know in October 2017 there has been a Report voted by the European Parliament a vast majority Asking for a directive to protect whistleblowers in general not just Those leaking classified information Unfortunately this report is very good for whistleblowers in general but says very little about those involved with Classified documents so for the time being the situation in Europe is that We have to wait maybe for a decade or two for that kind of legislation to happen in the meantime It is up to us to provide tools like second drop so these Whistleblowers can be protected by preserving their anonymity. That's the only thing they have And now in Europe unfortunately only these countries have second drop So the rest of the countries do not yet have that You have one intelligence agency per country at least so you should be able if you live in a country You're an employee of this intelligence agency you should be able to reach out to an Investigative journalist that you know because he or she wrote articles about this subject And you trust this person to follow up on the important revelation that you have But you also need to be protected which is currently the case only if you live in these countries and Here comes the investigative journalist paradox So this is in my view the reason why it only exists in these few countries If you go to an investigative journalist and you ask them How far are you willing to go to protect your sources? They will anonymously say as far as it takes and if national security or Classified documents are involved. I'm ready to do whatever it takes to protect them And then if you ask them because they they know about in Info second what not if you ask them what they think of secret drop All of them will tell you that's the best tool. There is there is nothing better to protect sources and trusted with classified documents and Then the third question with where comes the paradox is what are you doing? Yourself now to protect that kind of sources to make it possible for them to come to you and the answer is in most cases I Don't do anything. I don't have access to secret drop So to their credit Before 2017 it was not localized and it was kind of difficult to find a geek Nearby to help you technically set up that but it's no longer true so in Europe what we're going to do in the next year and more is To go and travel to every European country where there is not a secret drop yet and try to find at least one journalist who would be willing to use it Who values the tool but says oh, I don't use it because well, it's a little bit too complicated Let me show you how it works. Oh Yes, but it's too expensive to install but we establish a nonprofit that will pay for these fees and it's not much It's a few hundred euros per year. Oh, yes, but you need someone to Maintain that Yeah, but we have volunteers also and maybe if we don't have volunteers we can go and look for funding so You investigative journalist you can do your work Because as you may know investigative journalists do not really have a lot of money to spend and so that's what a Narrow view but an important one about what freedom of the press Foundation Europe will be in the next year Ah That's this thanks and now we can we have a few minutes for questions if you have some And contact information for all of us if you're lazy you can just scan the QR codes Also, especially looking forward to technical questions because that's what I would really like to talk about but whatever you guys are interested in anyone So so the question was how does the air-gapping look like and it is a so we Recommend you take like a you know Think pad or something like that remove all the physical Speakers and the webcam and things like that and But the air the private keys aren't encrypted tails Live Distro So when you want to decrypt documents you move them from the journalist interface into the what we call the secure viewing station and Then you have the private key there that will be able to decrypt the documents So even if in that whole big model even if any part of that is exploited you still have your private keys like on an encrypted disc So that's one of the things that we do and the last one I built was a brakes 130 euro and you a brakes is a kind of cube It runs it has a cell around in it So it's really cheap and you have a Wi-Fi component that you can unscrew so you remove it and you have RG 45 Port that you can glue with epoxy So the journalist is not tempted by accident to plug something in and then you you make it air gap It has audio and but it does not have speakers So you do not need to remove the speakers it has audio input and output But if the jacks are not plugged in there is no signal and there you have the air gap the cheapest air gap I was able to to build So we do have one problem with the air gap is that The current instructions tell a journalist to use reuse the same USB for transferring documents multiple times Which is problematic and we know that and Ideally the best way to do it would be to actually use to burn CDs and move them one way only because they're you could write once and you couldn't get information back off We've also had a problem recently there was a an exploit that went out in the wild this summer about somebody who found a way to abuse not a list to Allow arbitrary Python code to execute and they were creating open office documents with QR codes that contain private key material and Journalists were scanning these and then pinging a URL and exfiltrating Private key material through a URL. So like the air gap itself is problematic Which is why we're moving to cubes because then the air gap matters less because your private key material will not be on the same VM as the place where you like open documents run documents and whatnot So it there is some more sane way for us to handle that But like the current air gap architecture was the best we could do at the time and we were moving away from that in the future That's sufficiently answer your question Yeah, so his question was why do we not use a one-way high-speed serial interface to transfer data because of the problems we just mentioned with us bees and I we think realistically that isn't a way to solve it in the future But I think when this first happened it was you know one or two people working on the project and Pushing this out to journalists who had to maintain it themselves their actual instances, and I think that would be overly complicated and Once you get too complicated you actually get worse security properties because somebody will make a mistake because the complexity I believe that was why the decision was made like a long time ago, but Yeah, next question saw someone Yeah, so the question is do we do anything with collected Collections No, so we do the technical infrastructure and we provide things like assistance and support and things like that but we We Our job is to help the journalists do their job, you know their job and we don't want to know so even a Paradoxically even us who work at freedom of the press foundation don't know if a story came through secure drop or not Hard sucker had a slide that showed, you know, some sometimes people would advertise But we kind of don't want to know and also there are legal reasons why we as a foundation would not want to Even you know know that something came through secure drop So we kind of try to wall off in that way as well. Does that make sense? Yeah, I mean the thing too is we actually don't have access to any of the servers running secure drop What we do is we find an admin at a given news organization and we work with them and help them install it But we never have access to any of the secure drops instances ourselves So we actually could not get the documents if we wanted to which we see as very advantageous because then that would cause us to be the single point of failure in a like decentralized network of many secure drop instances running on their own so Even if we wanted to we definitely cannot get the documents So the question was why do we not pair up with the internet archive? Yeah I'm sorry. Please repeat. It's me the stage manager. Yo Do you want us to repeat his question or yes, please repeat the question? Actually, do you just gonna give him your mic? That would might be faster so My question is thanks. Have you thought of maybe pairing up with a Large institution that collects this information so that all of the press has access to it So that we don't get one press that tells the story which might then be biased Like for example the internet archive that it tries to stay neutral on all causes Sort of I Okay, so the question of like Democrat democratizing the access is a really important one it's It's complex because we have to reach out to we try to Reach out to people and say this is the thing and your news organization definitely needs it And so the installations are often mixed So sometimes it'll be you know one journalist at a news organization who does all the work sometimes they will be an editor who for example will log in and distribute source it material stories to to their Journalists sometimes it'll be like the parent company of a conglomerate so It might be the case that it goes not to one news organization, but a family of them So that's a thing that the then there's another kind of Tool that we're working on for Working with archives that like and how do you share an archive between multiple news organizations or multiple journalists? You know in a secure way. Um, so that's another tool that we're kind of working on but that it's it's a bit complex to answer that issue because we Are basically at the will of other news organizations that and how they want to work Um, so the best that we can do is, you know, advertise and let people know that this is a thing and Meet them wherever they are Does that anyone else? Cool. Okay. I guess we're done And so yeah, I do have at the end. I always have a few questions. Oh, cool first of my apologies. I was messed up in some stage manager stuff They have so I really liked your talk and as soon as I have some time I would like to talk on private with you. Where do I find you guys? We don't have a table actually We do. Oh Apparently, we have a table by IP to our 2p. Oh, that's just behind the stage, right? Like a little to the left Okay, cool. I hope I get the time because I have I would like to use It's gonna be amazing Thanks again. Cool. Yeah, thanks for asking for talk Also, thank you for attending and thank you for providing a space for us You're more than welcome