Lisa Rein: Next we’ve got Garrett Robinson from SecureDrop. We’ve been lucky enough that he comes back every year to give us and update on the incred­i­ble things that every year— it just seems to be more and more amaz­ing, and so here he is again to tell us about anoth­er big year for SecureDrop.

Garrett Robinson: First of all I want­ed to say I’m incred­i­bly hon­ored to be here, now and for the past two years. 

My name is Garrett Robinson and I am the lead devel­op­er of SecureDrop, and I have been for the past two years, so this is an update on where we’re at after work­ing on it for two years.

My first slide was going to be a quick intro­duc­tion about the his­to­ry of the project and how it evolved from DeadDrop, cre­at­ed by Aaron Swartz, but Lisa’s film com­plete­ly stole my thun­der and I can’t say any­thing about it now. While I was sit­ting there fran­ti­cal­ly think­ing of what to say instead, one thought did occur to me. The thing about SecureDrop and the rest of the talk I’m about to give is that it’s changed a lot in the past two years. But what I real­ized was that the core design, the core archi­tec­ture, is almost com­plete­ly unchanged from what Aaron cre­at­ed and called DeadDrop over 2 years ago today.

I think that’s a real­ly incred­i­ble tes­ta­ment to how bril­liant he was as a tech­nol­o­gist, that his ideas were so crys­tal clear and so pow­er­ful and still form a real­ly use­ful basis for an impor­tant tool. When you work on open-source projects, it’s a way to real­ly get to know some­body deeply, intel­lec­tu­al­ly. You’re work­ing close­ly on code, tech­ni­cal ideas, dis­cussing things, trade-offs, etc. I unfor­tu­nate­ly nev­er knew Aaron per­son­al­ly, but I do feel incred­i­bly grate­ful to have had the oppor­tu­ni­ty to in a way get to know him by work­ing on his project.

So two years ago we only had one instal­la­tion. Kevin Poulsen at The New Yorker installed DeadDrop, then called— it was the Strongbox instance. There were 375 com­mits and there were 20 con­trib­u­tors, many of whom are sit­ting in the audi­ence today. Thanks you guys. You guys are awesome.

Image: Wikipedia

It looked kin­da like this. It’s a web site, clear­ly, but beyond that kin­da 90s. A bit stuck in the past. So now, today, two years lat­er, what do we have? We have over twen­ty orga­ni­za­tions that use SecureDrop. We have every­body from…The New Yorker still runs it, The Intercept, The Washington Post, The Guardian. To small­er orga­ni­za­tions, NRKbeta, BayLeaks here in the Bay Area, a local orga­ni­za­tion doing awe­some inves­tiga­tive work. They just pub­lished some pret­ty cool sto­ries based on SecureDrop very recently.

And there are actu­al­ly even more than are on this list, but peo­ple just have begun in the past year or so email­ing us at Freedom of the Press and say­ing, Hey, we made a SecureDrop. It’s over here in Austria. It’s over here…all over the world.” These are just the ones that we were involved in set­ting up. There’s actu­al­ly more. We don’t real­ly know how many there are, but at least twen­ty, which I think is one of the great things about it being an open-source project. Anybody can set one up if they think that they want to.

And more com­ing soon. Cryptome, the ven­er­a­ble leak­ing orga­ni­za­tion and raw doc­u­ment source, trea­sure trove, is set­ting one up. It’ll be announced very soon. And we were just in New York recent­ly. We set up two more instances that’ll also be com­ing soon. We now have over 3,000 com­mits, so a hun­dred times the num­ber of com­mits we had before, which is awe­some. This has been the steady work we’ve been doing on the project for the past two years. And we now have 63 con­trib­u­tors, which is awe­some. Thanks again every­one who’s here, every­one who may be lis­ten­ing. We could not do it with­out you.

And this is what it looks like now. It a lot pret­ti­er. Again, this was all con­trib­u­tors. I am awful at design. I’m a soft­ware engi­neers, so it kin­da has to be that way, I think. But some peo­ple came through at one of our hackathons and made it look real­ly beau­ti­ful and it’s a lot more usable now, so it makes me real­ly proud to work on it now that it looks so great.

We recent­ly total­ly did our doc­u­men­ta­tion over. It’s way more read­able, it’s search­able, and peo­ple have been say­ing already that it’s way bet­ter to install SecureDrop and use SecureDrop with the new documentation.

One of our real­ly big, kind of endur­ing poli­cies is that we audit SecureDrop. So we hire out­side secu­ri­ty firms to inspect our code, find prob­lems, report them to us, we fix them and pub­lish the results. It’s an unusu­al process, espe­cial­ly for an open-source project, but it’s becom­ing more pop­u­lar as secu­ri­ty becomes more and more impor­tant for every­thing that we use on computers.

On our first audit, this was the conclusion:

We attempt­ed to deploy a ver­sion of DeadDrop on our inter­nal net­work by close­ly fol­low­ing the pro­vid­ed instruc­tions. After approx­i­mate­ly 30 per­son hours, we con­clud­ed that the com­bi­na­tion of incor­rect direc­tions, errors in pro­vid­ed scripts, and com­pli­cat­ed design make it unrea­son­able for reg­u­lar sys­tem admin­is­tra­tors to set up DeadDrop correctly. 

That was a bummer.

So this year we did our fourth audit, and this is a lot of text, so I’m going to high­light two parts that I think are real­ly worth noting.

SecureDrop’s exten­sive hard­en­ing places it well above indus­try stan­dards due to its empha­sis on secu­ri­ty and pri­va­cy. Overall, the new­ly intro­duced com­po­nents do not add to the already lim­it­ed attack sur­face, as the SecureDrop archi­tec­ture remains the same. The addi­tion of a Grsecurity-enabled ker­nel sig­nif­i­cant­ly rais­es the bar for attack­ers who man­age to suc­cess­ful­ly exploit the appli­ca­tion serv­er via var­i­ous mem­o­ry cor­rup­tion style attacks. Additionally, all inter­faces except the one used by sources are only avail­able over authen­ti­cat­ed Tor hid­den ser­vices. These fac­tors, com­bined with SecureDrop’s exist­ing defense in depth mea­sures, make tra­di­tion­al forms of serv­er com­pro­mise sig­nif­i­cant­ly difficult. 

One is that SecureDrop’s exten­sive hard­en­ing places it well above indus­try stan­dards due to its empha­sis on secu­ri­ty and pri­va­cy.” All these var­i­ous things that we’ve been doing this year, we’ve got a hard­ened ker­nel on every SecureDrop now, a ton of addi­tion­al hard­en­ing, more test­ing, more audit­ing. These things com­bine to make it real­ly hard to hack, which is the whole point.

We have a new web site. Our awe­some sysad­min Kevin Gallagher and Crystal Lee worked togeth­er to cre­ate a brand new SecureDrop web site. It explains how it works, and peo­ple who want to set it up can go here and learn how to do that. It’s real­ly nice; check it out. 

This actu­al­ly hap­pened a lit­tle over a year ago, but I want­ed to say it again because it was so awe­some. You guys might’ve heard of that guy and you might’ve seen this movie. It’s a great movie. We were real­ly excit­ed because we were includ­ed, along with a num­ber of oth­er real­ly great projects, in the end cred­its as a project that accord­ing to the direc­tor were essen­tial for the mak­ing of the film. So that was a real­ly spe­cial hon­or. (These oth­er guys, the Tor Project, I don’t know who they are. Weird.)

We’ve been work­ing on some oth­er stuff that we’re going to be talk­ing about more in the future. I think this is just one exam­ple of stuff that we’ll hope­ful­ly talk more about soon. 

We’re work­ing with a group of pro­fes­sors and stu­dents at Columbia University on some cus­tom hard­ware for SecureDrop to make it even more secure. I don’t want to go into this at length because you’ll all fall asleep, but this is a pro­to­type board that we just took a look at and saw a demo of last week. We’re hop­ing to talk more about it, and it will hope­ful­ly make a real­ly huge dif­fer­ence in the secu­ri­ty of the sys­tem for every­body who uses it. So it’s kind of awesome.

One ques­tion that we get a lot about SecureDrop is Does it work?” Obviously we can’t real­ly talk about it in detail. It’s real­ly impor­tant that we main­tain the secu­ri­ty of what we know about it, and we per­son­al­ly try to learn as lit­tle as pos­si­ble. But I can say that it is being used, you have prob­a­bly read news sto­ries that were sourced from it, and Columbia University’s jour­nal­ism school is writ­ing a report on it right now which will prob­a­bly come out next year that is based on inter­views with peo­ple who use it in the field, and it will hope­ful­ly explain a bit more about how it’s use­ful, how it impacts jour­nal­ism, and we hope we can point to it and say, See?” but until then we have to be kind of qui­et about it. Hush hush.

Really quick, I want­ed to say that the par­ent orga­ni­za­tion that main­tains SecureDrop is the Freedom of the Press Foundation, and we’ve been grow­ing. We cur­rent­ly have a total of six employ­ees, which is twice the size we were last year. We’ve hired some real­ly awe­some peo­ple. We’ve hired Harlo Holmes, who is a dig­i­tal secu­ri­ty train­er. She is awe­some, and that’s a real­ly cool pic­ture of her. We’ve hired this guy, his name is Conor. He’s real­ly cool, too, awe­some devel­op­er work­ing with us. He’s over here. And just two weeks ago, we hired anoth­er soft­ware engi­neer for SecureDrop. His name’s Noah. He’s also here. So I hope with all these new real­ly tal­ent­ed peo­ple we can con­tin­ue to do more excit­ing work with SecureDrop.

Finally, I want­ed to say that this is not a pic­ture of a lum­ber­jack and the gui­tarist from U2, although it looks like that, I know. That guy is me (hard to believe) but the guy on the left is James Dolan, who was one of the orig­i­nal archi­tects of SecureDrop along with Aaron and Kevin Poulsen. James left the project only known pic­ture of him in exis­tence. He’s kin­da like Bigfoot. He would­n’t want me to say this, but he has had an incred­i­ble influ­ence on the project. It would­n’t be what it is with­out him, and I just want­ed to thank him for every­thing he’s done.

That being said, there is a lot more to do. Everyone who was at the hackathon knows we have a lot of work to do to keep mak­ing this project more secure, eas­i­er to use, and more impact­ful. So get involved, and thanks.

Further Reference

The Aaron Swartz Day web site.