Copyedit and update Source Guide #4880
Conversation
- The "Get Tor" instructions as written didn't work; the email autoresponder requires the OS to be specified, and the GitHub downloads are currently not available. - The instructions suggested visiting the .onion address _before_ "choosing who to submit to". - Added a recommendation to verify the .onion address against the SecureDrop Directory - Used more common terms in a couple of places (e.g., "USB Flash Drive" instead of "USB Key"), simplified Flag for Reply language - Wrap to 80 characters
eloquence
requested review from
emkll,
kushaldas,
redshiftzero and
zenmonkeykstop
as code owners
|
If this looks good, I'd recommend approval but not merge until the issue with the new "Report an Error" form is resolved (see freedomofpress/securedrop.org#648 ). |
There was a problem hiding this comment.
Thanks for the changes @eloquence, made a first pass through these changes, and have some comments inline for discussion.
docs/source.rst
Outdated
| * If your mail provider is less likely to be monitored, you can send a mail to | ||
| gettor@torproject.org with the text "linux", "windows" or "osx" in the body | ||
| (for your preferred operating system) and a bot will answer with instructions. | ||
| * If you routinely use Git, you can use GitLab to |
There was a problem hiding this comment.
nit: git is the protocol. I think using gitlab vs torproject.org from a dns perspective makes it easier, but that point may be moot if they are reading this from docs.securedrop.org. For that reason, i suggest dropping "If you routinely use Git" from the sentence
There was a problem hiding this comment.
Reworded in 53e978e. I'm not very fond of having this here at all given the lack of verification instructions. Perhaps we should just describe the email service and leave it at that?
There was a problem hiding this comment.
Circling back to this comment, if #4880 (comment) is overly technical, using git(lab) could, in some cases, also be considered overly technical.
The GitLab hosting resolves most of the issues the email approach solves (how to get tor if torproject.org is blocked). I'd be curious, from a source perspective, if there would be reticence to use email since they would either use their personal account or create a new one.
There was a problem hiding this comment.
Guys, what are the chances Torproject will be blocked—or, that anyone will be able to make sense of Gitlab, or know what GIt is? We're making a lot of assumptions here and designing for extreme worst-case scenarios. There should be a content fork in there, for folks in at-risk locations where Tor may be blocked... but by default, I feel strongly that users need to be directed to the Tor website. Mostly because there is also helpful content framing what Tor is/does, etc.
"Why shd I trust an installation from a place like this 'gitlab' place you're directing me to, vs the company that owns and makes Tor?" is the other reason. Non-technical folks just don't have a mental model of how the FOSS ecosystem works, and base their opsec decisions around anecdotal impressions we're trying to gently re-shape.
Also, while folks in poorer regions may be using Linux, a majority of users will not. Nor will they be able to make sense of an installation that is not packaged for consumer-grade interaction.
There was a problem hiding this comment.
Note that the guide currently only speaks to the "likely to be monitored" scenario. That said, this is mostly old text, and I'm personally not fully convinced it's helpful. We say in the intro that the user should locate themselves in a place with Internet access they don't typically go to. Isn't that then also the best place to download Tor from? And in that case, are these instructions helping to mitigate that risk?
This may be lost in the diff, but my main goal with this edit was to fix obviously broken things, like the GitHub link that no longer works. While I understand how all these issues with the original text stand out during a review, I would recommend landing this change, then filing another issue for actually thinking through this Tor browser download scenario more carefully, and tailoring our advice to different audiences.
| * If you routinely use Git, you can use GitLab to | ||
| `download the Tor Browser <https://gitlab.com/thetorproject/gettorbrowser/tree/torbrowser-releases>`__. | ||
|
|
||
| While using the Tor Browser on your personal computer helps hide your activity |
There was a problem hiding this comment.
Another fact worth stating here is that in its default configuration, Tor does not hide the fact that you are using Tor
There was a problem hiding this comment.
OK, added a note to that effect in 53e978e. I agree this is an important -- potentially life-altering -- warning to have, but am also worried about people completely misunderstanding it. What do you think about this wording, does it strike the right balance?
There was a problem hiding this comment.
OK—is this, then, validation @emkll that we should take more aggressive measures at the beginning of the Source UI to get users to change their Tor browser's security settings? Relevant to this one edit—let's be sure to give them clear guidance that WILL assuredly protect them, and let them know that, if indeed it is decided to state that in its default config Tor will not conceal their use of Tor. It's ok to make extreme statements, but only if we offer direct remedies for users to take to protect themselves.
There was a problem hiding this comment.
In this (very specific case), I don't think the Tor browser settings would change much to the overall risk. This is a subset of the first contact problem, where we need to bring more awareness about Tor and its properties more generally. This might, in the future, be useful language to include in landing pages, but I think that for now a disclaimer is warranted and also the best we can do. The wording seems quite good to me in 53e978e
docs/source.rst
Outdated
| machine. For even greater deniability and security, we recommend booting into the | ||
| `Tails operating system`_ (typically from a USB stick). Tails is specifically | ||
| designed to run on your computer without leaving traces of your activity, and | ||
| automatically routes all of your Internet browsing through Tor so you can easily |
There was a problem hiding this comment.
Perhaps adding something that will evoke segmentation for the prospective source, something like: "By using tails, you reduce the risk of operating system level logging, indexing, and certain monitoring/management tools on your everyday workstation, as well as not interacting with your files/applications"
There was a problem hiding this comment.
I find that language a bit too technical to be honest, but I tried to make it clearer in 53e978e that there's additional OS-level activity logging Tails mitigates against. Does that work for you?
There was a problem hiding this comment.
Imposter syndrome is real; let's be mindful to not trigger that in users... :)
There was a problem hiding this comment.
Fair points, in restrospect the wording is definitely way too technical. I would however like to evoke the concept of segmenting work/personal and whistleblowing activities. Mixing these activities together greatly increases the odds of opsec failures. Either in this section or elsewhere in the document, it might be a useful concept to explain
There was a problem hiding this comment.
I've tried to speak further to the opsec aspect in 8375ee5, trying to use relatable examples of features and behaviors that may impact operational security.
There was a problem hiding this comment.
Absolutely!! I would consider the audience this is written for, however; which is journalists and other people at host orgs. It's not a guide for sources, it's just a guide for using the Source UI. We still need to craft a "Source Guide," and I'd love to see that prioritized more highly. Because y'know, everything else we're doing is less of a priority (or something)? :/
docs/source.rst
Outdated
|
|
||
| While using the Tor Browser on your personal computer helps hide your activity on the network, it leaves traces (of its own installation) on your local machine. For even more deniability, we recommend booting into a live system such as `Tails`_ for a higher level of security. Tails is specifically designed to run on your computer without leaving traces of your activity, and automatically routes all of your Internet browsing through Tor so you can easily access SecureDrop safely. | ||
| Each SecureDrop instance is totally independent, and submissions to that |
There was a problem hiding this comment.
I propose "each SecureDrop instance is operated and administered independently by the news organization"
There was a problem hiding this comment.
Worded very similarly in 53e978e (I try not to overuse "news organization" since not all orgs using SecureDrop are strictly speaking news orgs).
There was a problem hiding this comment.
"host organization" feels like a fit, perhaps? The language "instance" and "host" both used throughout, is what felt best to me when I took a stab at this a while ago.
docs/source.rst
Outdated
| recommend comparing the address of the entry with the one on the | ||
| organization's own *Landing Page*. If the two addresses don't match, please | ||
| do not submit to this organization yet. Instead, please | ||
| `contact us <https://securedrop.org/report-an-error>`__ through th |
There was a problem hiding this comment.
Perhaps the onion URL would be useful here
There was a problem hiding this comment.
Excellent point, added in 53e978e.
docs/source.rst
Outdated
| reasons. This will only happen the first time a journalist replies and | ||
| with subsequent replies you will skip this step. Click **Refresh** or | ||
| log in again to see if a journalist has responded. | ||
| once and is overloaded with submissions, you may see the message below: |
There was a problem hiding this comment.
I propose changing overloaded to "experiences a surge in traffic" or "is experiencing high traffic volume"
There was a problem hiding this comment.
Yeah I can see why :), reworded in 53e978e.
- GitLab mirror rewording - Note that Tor browser usage can be detected - Add .onion address for securedrop.org - Other minor edits
There was a problem hiding this comment.
Thanks @eloquence and @ninavizz , I think most of my comments have been resolved, except for one last thread regarding Tails here: #4880 (comment) . I think it's an important concept to present in the source guide, but also don't think it should block merge if you don't find this useful.
I will approve this PR and merge it tomorrow, so that others could take a quick look/comment if they are interested.
There was a problem hiding this comment.
this is a definite improvement, thanks!
optional: link to https://freedom.press/news/sharing-sensitive-leaks-press/ since that's a nice article covering many of the same concerns? I'll approve and wait a bit before merging in case you want to add a link to that article
|
Added link to FPF guide (and some additional context) in 85e6e96 |
The "Get Tor" instructions as written didn't work; the email autoresponder requires the OS to be specified, and the GitHub downloads are currently not available.
The instructions suggested visiting the .onion address before "choosing who to submit to".
Added a recommendation to verify the .onion address against the SecureDrop Directory
Used more common terms in a couple of places (e.g., "USB Flash Drive" instead of "USB Key"), simplified Flag for Reply language
Wrap to 80 characters
Status
Ready for review
Checklint