Lisa Rein: Next we’ve got Garrett Robinson from SecureDrop. We’ve been lucky enough that he comes back every year to give us and update on the incred­i­ble things that every year— it just seems to be more and more amaz­ing, and so here he is again to tell us about anoth­er big year for SecureDrop.

Garrett Robinson: First of all I want­ed to say I’m incred­i­bly hon­ored to be here, now and for the past two years. 

My name is Garrett Robinson and I am the lead devel­op­er of SecureDrop, and I have been for the past two years, so this is an update on where we’re at after work­ing on it for two years.

My first slide was going to be a quick intro­duc­tion about the his­to­ry of the project and how it evolved from DeadDrop, cre­at­ed by Aaron Swartz, but Lisa’s film com­plete­ly stole my thun­der and I can’t say any­thing about it now. While I was sit­ting there fran­ti­cal­ly think­ing of what to say instead, one thought did occur to me. The thing about SecureDrop and the rest of the talk I’m about to give is that it’s changed a lot in the past two years. But what I real­ized was that the core design, the core archi­tec­ture, is almost com­plete­ly unchanged from what Aaron cre­at­ed and called DeadDrop over 2 years ago today.

I think that’s a real­ly incred­i­ble tes­ta­ment to how bril­liant he was as a tech­nol­o­gist, that his ideas were so crys­tal clear and so pow­er­ful and still form a real­ly use­ful basis for an impor­tant tool. When you work on open-source projects, it’s a way to real­ly get to know some­body deeply, intel­lec­tu­al­ly. You’re work­ing close­ly on code, tech­ni­cal ideas, dis­cussing things, trade-offs, etc. I unfor­tu­nate­ly nev­er knew Aaron per­son­al­ly, but I do feel incred­i­bly grate­ful to have had the oppor­tu­ni­ty to in a way get to know him by work­ing on his project.

So two years ago we only had one instal­la­tion. Kevin Poulsen at The New Yorker installed DeadDrop, then called— it was the Strongbox instance. There were 375 com­mits and there were 20 con­trib­u­tors, many of whom are sit­ting in the audi­ence today. Thanks you guys. You guys are awesome.

Image: Wikipedia

It looked kin­da like this. It’s a web site, clear­ly, but beyond that kin­da 90s. A bit stuck in the past. So now, today, two years lat­er, what do we have? We have over twen­ty orga­ni­za­tions that use SecureDrop. We have every­body from…The New Yorker still runs it, The Intercept, The Washington Post, The Guardian. To small­er orga­ni­za­tions, NRKbeta, BayLeaks here in the Bay Area, a local orga­ni­za­tion doing awe­some inves­tiga­tive work. They just pub­lished some pret­ty cool sto­ries based on SecureDrop very recently.

And there are actu­al­ly even more than are on this list, but peo­ple just have begun in the past year or so email­ing us at Freedom of the Press and say­ing, Hey, we made a SecureDrop. It’s over here in Austria. It’s over here…all over the world.” These are just the ones that we were involved in set­ting up. There’s actu­al­ly more. We don’t real­ly know how many there are, but at least twen­ty, which I think is one of the great things about it being an open-source project. Anybody can set one up if they think that they want to.

And more com­ing soon. Cryptome, the ven­er­a­ble leak­ing orga­ni­za­tion and raw doc­u­ment source, trea­sure trove, is set­ting one up. It’ll be announced very soon. And we were just in New York recent­ly. We set up two more instances that’ll also be com­ing soon. We now have over 3,000 com­mits, so a hun­dred times the num­ber of com­mits we had before, which is awe­some. This has been the steady work we’ve been doing on the project for the past two years. And we now have 63 con­trib­u­tors, which is awe­some. Thanks again every­one who’s here, every­one who may be lis­ten­ing. We could not do it with­out you.

And this is what it looks like now. It a lot pret­ti­er. Again, this was all con­trib­u­tors. I am awful at design. I’m a soft­ware engi­neers, so it kin­da has to be that way, I think. But some peo­ple came through at one of our hackathons and made it look real­ly beau­ti­ful and it’s a lot more usable now, so it makes me real­ly proud to work on it now that it looks so great.

We recent­ly total­ly did our doc­u­men­ta­tion over. It’s way more read­able, it’s search­able, and peo­ple have been say­ing already that it’s way bet­ter to install SecureDrop and use SecureDrop with the new documentation.

One of our real­ly big, kind of endur­ing poli­cies is that we audit SecureDrop. So we hire out­side secu­ri­ty firms to inspect our code, find prob­lems, report them to us, we fix them and pub­lish the results. It’s an unusu­al process, espe­cial­ly for an open-source project, but it’s becom­ing more pop­u­lar as secu­ri­ty becomes more and more impor­tant for every­thing that we use on computers.

On our first audit, this was the conclusion:

We attempt­ed to deploy a ver­sion of DeadDrop on our inter­nal net­work by close­ly fol­low­ing the pro­vid­ed instruc­tions. After approx­i­mate­ly 30 per­son hours, we con­clud­ed that the com­bi­na­tion of incor­rect direc­tions, errors in pro­vid­ed scripts, and com­pli­cat­ed design make it unrea­son­able for reg­u­lar sys­tem admin­is­tra­tors to set up DeadDrop correctly. 

That was a bummer.

So this year we did our fourth audit, and this is a lot of text, so I’m going to high­light two parts that I think are real­ly worth noting.

SecureDrop’s exten­sive hard­en­ing places it well above indus­try stan­dards due to its empha­sis on secu­ri­ty and pri­va­cy. Overall, the new­ly intro­duced com­po­nents do not add to the already lim­it­ed attack sur­face, as the SecureDrop archi­tec­ture remains the same. The addi­tion of a Grsecurity-enabled ker­nel sig­nif­i­cant­ly rais­es the bar for attack­ers who man­age to suc­cess­ful­ly exploit the appli­ca­tion serv­er via var­i­ous mem­o­ry cor­rup­tion style attacks. Additionally, all inter­faces except the one used by sources are only avail­able over authen­ti­cat­ed Tor hid­den ser­vices. These fac­tors, com­bined with SecureDrop’s exist­ing defense in depth mea­sures, make tra­di­tion­al forms of serv­er com­pro­mise sig­nif­i­cant­ly difficult. 

One is that SecureDrop’s exten­sive hard­en­ing places it well above indus­try stan­dards due to its empha­sis on secu­ri­ty and pri­va­cy.” All these var­i­ous things that we’ve been doing this year, we’ve got a hard­ened ker­nel on every SecureDrop now, a ton of addi­tion­al hard­en­ing, more test­ing, more audit­ing. These things com­bine to make it real­ly hard to hack, which is the whole point.

We have a new web site. Our awe­some sysad­min Kevin Gallagher and Crystal Lee worked togeth­er to cre­ate a brand new SecureDrop web site. It explains how it works, and peo­ple who want to set it up can go here and learn how to do that. It’s real­ly nice; check it out. 

This actu­al­ly hap­pened a lit­tle over a year ago, but I want­ed to say it again because it was so awe­some. You guys might’ve heard of that guy and you might’ve seen this movie. It’s a great movie. We were real­ly excit­ed because we were includ­ed, along with a num­ber of oth­er real­ly great projects, in the end cred­its as a project that accord­ing to the direc­tor were essen­tial for the mak­ing of the film. So that was a real­ly spe­cial hon­or. (These oth­er guys, the Tor Project, I don’t know who they are. Weird.)

We’ve been work­ing on some oth­er stuff that we’re going to be talk­ing about more in the future. I think this is just one exam­ple of stuff that we’ll hope­ful­ly talk more about soon. 

We’re work­ing with a group of pro­fes­sors and stu­dents at Columbia University on some cus­tom hard­ware for SecureDrop to make it even more secure. I don’t want to go into this at length because you’ll all fall asleep, but this is a pro­to­type board that we just took a look at and saw a demo of last week. We’re hop­ing to talk more about it, and it will hope­ful­ly make a real­ly huge dif­fer­ence in the secu­ri­ty of the sys­tem for every­body who uses it. So it’s kind of awesome.

One ques­tion that we get a lot about SecureDrop is Does it work?” Obviously we can’t real­ly talk about it in detail. It’s real­ly impor­tant that we main­tain the secu­ri­ty of what we know about it, and we per­son­al­ly try to learn as lit­tle as pos­si­ble. But I can say that it is being used, you have prob­a­bly read news sto­ries that were sourced from it, and Columbia University’s jour­nal­ism school is writ­ing a report on it right now which will prob­a­bly come out next year that is based on inter­views with peo­ple who use it in the field, and it will hope­ful­ly explain a bit more about how it’s use­ful, how it impacts jour­nal­ism, and we hope we can point to it and say, See?” but until then we have to be kind of qui­et about it. Hush hush.

Really quick, I want­ed to say that the par­ent orga­ni­za­tion that main­tains SecureDrop is the Freedom of the Press Foundation, and we’ve been grow­ing. We cur­rent­ly have a total of six employ­ees, which is twice the size we were last year. We’ve hired some real­ly awe­some peo­ple. We’ve hired Harlo Holmes, who is a dig­i­tal secu­ri­ty train­er. She is awe­some, and that’s a real­ly cool pic­ture of her. We’ve hired this guy, his name is Conor. He’s real­ly cool, too, awe­some devel­op­er work­ing with us. He’s over here. And just two weeks ago, we hired anoth­er soft­ware engi­neer for SecureDrop. His name’s Noah. He’s also here. So I hope with all these new real­ly tal­ent­ed peo­ple we can con­tin­ue to do more excit­ing work with SecureDrop.

Finally, I want­ed to say that this is not a pic­ture of a lum­ber­jack and the gui­tarist from U2, although it looks like that, I know. That guy is me (hard to believe) but the guy on the left is James Dolan, who was one of the orig­i­nal archi­tects of SecureDrop along with Aaron and Kevin Poulsen. James left the project only known pic­ture of him in exis­tence. He’s kin­da like Bigfoot. He would­n’t want me to say this, but he has had an incred­i­ble influ­ence on the project. It would­n’t be what it is with­out him, and I just want­ed to thank him for every­thing he’s done.

That being said, there is a lot more to do. Everyone who was at the hackathon knows we have a lot of work to do to keep mak­ing this project more secure, eas­i­er to use, and more impact­ful. So get involved, and thanks.

Further Reference

The Aaron Swartz Day web site.

Help Support Open Transcripts

If you found this useful or interesting, please consider supporting the project monthly at Patreon or once via Cash App, or even just sharing the link. Thanks.