New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Copyedit and update Source Guide #4880
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,73 +4,127 @@ Source Guide | |
Choosing the Right Location | ||
--------------------------- | ||
|
||
When national security is involved, we suggest you buy a new computer, | ||
a USB key and pay cash. In any case you must then find a busy | ||
coworking place or cyber cafe you don't regularly go to and sit at a | ||
place with your back to a wall to avoid cameras capturing information | ||
on your screen or keystrokes. | ||
When national security is involved, we suggest you buy a new computer and a | ||
USB flash drive, using cash. In any case you must then find a busy coworking | ||
place or cyber cafe you don't regularly go to and sit at a place with your back | ||
to a wall to avoid cameras capturing information on your screen or keystrokes. | ||
|
||
Get the Tor Browser | ||
------------------- | ||
|
||
Each SecureDrop instance has a publicly available *Source Interface*: a website where sources can create anonymous accounts, submit files and messages, and check back for replies. | ||
Each SecureDrop instance has a publicly available *Source Interface:* a website | ||
where sources can create anonymous accounts, submit files and messages, and | ||
check back for replies. | ||
|
||
Each *Source Interface* is only available as an onion service, which is a | ||
special type of website with an address ending in ".onion" that is only | ||
accessible through Tor. Tor is an anonymizing network that makes it difficult | ||
for anybody observing the network to associate a user's identity (e.g., their | ||
computer's IP address) with their activity (e.g., uploading information to | ||
SecureDrop). | ||
|
||
The easiest and most secure way to use Tor is to download the Tor Browser from | ||
the `Tor Project website`_. The Tor Browser is a modified version of the Firefox | ||
web browser. It was designed to protect your security and anonymity while | ||
using Tor. If there is a chance that downloading the Tor Browser raises | ||
suspicion, you have a few alternatives, for example: | ||
|
||
* If your mail provider is less likely to be monitored, you can send a mail to | ||
gettor@torproject.org with the text "linux", "windows" or "osx" in the body | ||
(for your preferred operating system) and a bot will answer with instructions. | ||
* If you routinely use Git, you can use GitLab to | ||
`download the Tor Browser <https://gitlab.com/thetorproject/gettorbrowser/tree/torbrowser-releases>`__. | ||
|
||
While using the Tor Browser on your personal computer helps hide your activity | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Another fact worth stating here is that in its default configuration, Tor does not hide the fact that you are using Tor There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK, added a note to that effect in 53e978e. I agree this is an important -- potentially life-altering -- warning to have, but am also worried about people completely misunderstanding it. What do you think about this wording, does it strike the right balance? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK—is this, then, validation @emkll that we should take more aggressive measures at the beginning of the Source UI to get users to change their Tor browser's security settings? Relevant to this one edit—let's be sure to give them clear guidance that WILL assuredly protect them, and let them know that, if indeed it is decided to state that in its default config Tor will not conceal their use of Tor. It's ok to make extreme statements, but only if we offer direct remedies for users to take to protect themselves. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In this (very specific case), I don't think the Tor browser settings would change much to the overall risk. This is a subset of the first contact problem, where we need to bring more awareness about Tor and its properties more generally. This might, in the future, be useful language to include in landing pages, but I think that for now a disclaimer is warranted and also the best we can do. The wording seems quite good to me in 53e978e |
||
on the network, it leaves traces of its own installation on your local | ||
machine. For even greater deniability and security, we recommend booting into the | ||
`Tails operating system`_ (typically from a USB stick). Tails is specifically | ||
designed to run on your computer without leaving traces of your activity, and | ||
automatically routes all of your Internet browsing through Tor so you can easily | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Perhaps adding something that will evoke segmentation for the prospective source, something like: "By using tails, you reduce the risk of operating system level logging, indexing, and certain monitoring/management tools on your everyday workstation, as well as not interacting with your files/applications" There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I find that language a bit too technical to be honest, but I tried to make it clearer in 53e978e that there's additional OS-level activity logging Tails mitigates against. Does that work for you? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Imposter syndrome is real; let's be mindful to not trigger that in users... :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fair points, in restrospect the wording is definitely way too technical. I would however like to evoke the concept of segmenting work/personal and whistleblowing activities. Mixing these activities together greatly increases the odds of opsec failures. Either in this section or elsewhere in the document, it might be a useful concept to explain There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've tried to speak further to the opsec aspect in 8375ee5, trying to use relatable examples of features and behaviors that may impact operational security. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Absolutely!! I would consider the audience this is written for, however; which is journalists and other people at host orgs. It's not a guide for sources, it's just a guide for using the Source UI. We still need to craft a "Source Guide," and I'd love to see that prioritized more highly. Because y'know, everything else we're doing is less of a priority (or something)? :/ |
||
access SecureDrop safely. | ||
|
||
Each Source Interface is only available as a *Tor Hidden Service*, which is a special type of website with an address ending in ".onion" that is only accessible through Tor. Tor is an anonymizing network that makes it difficult for anybody observing the network to associate a user's identity (e.g. their computer's IP address) with their activity (e.g. uploading information to SecureDrop). | ||
.. _`Tor Project website`: https://www.torproject.org/ | ||
.. _`Tails operating system`: https://tails.boum.org/ | ||
|
||
The easiest and most secure way to use Tor is to download the Tor Browser from the `Tor Project website`_. The Tor Browser is a modified version of the Firefox web browser designed to protect your security and anonymity while using Tor. If there is a chance that downloading the Tor Browser raises suspicion, you have a few alternatives. | ||
Choose Who to Submit To | ||
----------------------- | ||
We recommend conducting all research related to your submission in Tor Browser. | ||
If you are unsure whether you are using Tor, you can visit the address | ||
https://check.torproject.org. | ||
|
||
* If your mail provider is less likely to be monitored, you can send a mail to gettor@torproject.org and a bot will answer with instructions | ||
* If you routinely use GitHub, you can use it to `download the Tor Browser <https://github.com/TheTorProject/gettorbrowser>`__ | ||
All organizations operating SecureDrop have a *Landing Page* that provides their | ||
own organization-specific recommendations for using SecureDrop. We encourage you | ||
to consider an organization's *Landing Page* before submitting to them. | ||
|
||
Once you have the Tor Browser, launch it and enter the ".onion" address for the Source Interface of the organization that you wish to submit to. You can find this address on the organization's *Landing Page*, or listed on the SecureDrop Directory. | ||
.. note:: | ||
|
||
While using the Tor Browser on your personal computer helps hide your activity on the network, it leaves traces (of its own installation) on your local machine. For even more deniability, we recommend booting into a live system such as `Tails`_ for a higher level of security. Tails is specifically designed to run on your computer without leaving traces of your activity, and automatically routes all of your Internet browsing through Tor so you can easily access SecureDrop safely. | ||
Each SecureDrop instance is totally independent, and submissions to that | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I propose "each SecureDrop instance is operated and administered independently by the news organization" There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Worded very similarly in 53e978e (I try not to overuse "news organization" since not all orgs using SecureDrop are strictly speaking news orgs). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. "host organization" feels like a fit, perhaps? The language "instance" and "host" both used throughout, is what felt best to me when I took a stab at this a while ago. |
||
instance are only available to journalists associated with that organization. | ||
|
||
.. _`Tor Project website`: https://www.torproject.org/ | ||
.. _`Tails`: https://tails.boum.org/ | ||
Most organizations make their *Landing Page* prominently accessible from their | ||
main website's homepage (for news organizations, typically under sections called | ||
"Tips" or "Contact us"). You can also find an incomplete list of organizations | ||
accepting submissions through SecureDrop in the `SecureDrop Directory`_ | ||
maintained by Freedom of the Press Foundation. | ||
|
||
Using the Tor Browser, find the ".onion" address for the *Source Interface* of | ||
the organization that you wish to submit to. | ||
|
||
Choose Who to Submit To | ||
----------------------- | ||
.. tip:: | ||
|
||
Each SecureDrop instance is totally independent, and submissions to that instance are only available to journalists associated with that organization. | ||
If the organization does have an entry in the SecureDrop Directory, we | ||
recommend comparing the address of the entry with the one on the | ||
organization's own *Landing Page*. If the two addresses don't match, please | ||
do not submit to this organization yet. Instead, please | ||
`contact us <https://securedrop.org/report-an-error>`__ through th | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Perhaps the onion URL would be useful here There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Excellent point, added in 53e978e. |
||
SecureDrop Website, using the Tor Browser. We will update the directory entry | ||
if it is incorrect. | ||
|
||
All organizations have a *Landing Page* that provides their own organization-specific recommendations for using SecureDrop. We encourage you to consider an organization's *Landing Page* before submitting to them. | ||
|
||
Most organizations make their *Landing Page* prominently accessible from their main website's homepage. You can also find an incomplete list of organizations accepting submissions through SecureDrop on the `SecureDrop Directory`_ maintained by Freedom of the Press Foundation. | ||
Once you have located the ".onion" address, copy it into the address bar in Tor | ||
Browser to visit the organization's *Source Interface*. | ||
|
||
.. _`SecureDrop Directory`: https://securedrop.org/directory | ||
|
||
Making Your First Submission | ||
---------------------------- | ||
|
||
Open the Tor Browser and navigate to the .onion address for the SecureDrop | ||
Source Interface you wish to make a submission to. The page should look similar | ||
*Source Interface* you wish to make a submission to. The page should look similar | ||
to the screenshot below, although it will probably have a logo specific to the | ||
organization you are submitting to. | ||
organization you are submitting to: | ||
|
||
|Source Interface with Javascript Disabled| | ||
|
||
If this is the first time you're using the Tor Browser, it's likely that you | ||
have JavaScript enabled and that the Security Setting that the Tor Browser provides | ||
is set to "Low". If you do, there will be a purple warning banner at the top of | ||
the page that encourages you to disable JavaScript and turn up the **Security Setting** to **Safest**: | ||
have JavaScript enabled and that the Tor Browser's security setting is set | ||
to "Low". In this case, there will be a purple warning banner at the top of | ||
the page that encourages you to disable JavaScript and change the security | ||
setting to "Safest": | ||
|
||
|Source Interface Security Slider Warning| | ||
|
||
Click the **Security Setting** link in the warning banner and a | ||
message bubble will pop up explaining how to disable JavaScript and configure your security properly: | ||
Click the **Security Setting** link in the warning banner, and a message bubble | ||
will pop up explaining how to adjust this setting: | ||
|
||
|Fix Javascript warning| | ||
|
||
Follow the instructions and the page should refresh automatically. Note | ||
that this will change your security settings and disable JavaScript for every page in your | ||
Tor Browser, and this setting will persist across browser sessions. | ||
Follow the instructions, and the security setting in Tor Browser should look | ||
similar to this screenshot: | ||
|
||
|Security Slider| | ||
|
||
The page should look similar to the screenshot below. If this is the first | ||
time you are using SecureDrop, click the **Get Started** button. | ||
.. note:: | ||
|
||
The "Safest" setting disables the use of JavaScript on every page you visit | ||
using Tor Browser, even after a browser restart. This may cause other | ||
websites you visit using Tor Browser to no longer work correctly, until | ||
you adjust the Security Setting again. We recommend keeping the setting at | ||
"Safest" during the entirety of the session in which you access an | ||
organization's SecureDrop instance. | ||
|
||
The SecureDrop *Source Interface* should now refresh automatically and look | ||
similar to the screenshot below. If this is the first time you are using | ||
SecureDrop, click the **Get Started** button. | ||
|
||
|Source Interface with Javascript Disabled| | ||
|
||
|
@@ -96,7 +150,7 @@ Once you have generated a codename and put it somewhere safe, click | |
You will next be brought to the submission interface, where you may | ||
upload a document, enter a message to send to journalists, or both. You | ||
can only submit one document at a time, so you may want to combine | ||
several files into a zip archive if necessary. The maximum submission | ||
several files into a ZIP archive if necessary. The maximum submission | ||
size is currently 500MB. If the files you wish to upload are over that | ||
limit, we recommend that you send a message to the journalist explaining | ||
this, so that they can set up another method for transferring the | ||
|
@@ -132,7 +186,7 @@ Continuing the Conversation | |
|
||
If you have already submitted a document and would like to check for | ||
responses, click the **Log in** button on the media | ||
organization's SecureDrop homepage. | ||
organization's *Source Interface*. | ||
|
||
|Source Interface with Javascript Disabled| | ||
|
||
|
@@ -145,8 +199,8 @@ If a journalist has responded, their message will appear on the | |
next page. This page also allows you to upload another document or send | ||
another message to the journalist. Before leaving the page, you should | ||
delete any replies. In the unlikely event that someone learns | ||
your codename, this will keep your identity secret as no one will be | ||
able to see the previous correspondences you had with journalists. | ||
your codename, this will ensure that they will not be able to see the previous | ||
correspondences you had with journalists. | ||
|
||
|Check for a reply| | ||
|
||
|
@@ -156,17 +210,16 @@ below message. | |
|Delete received messages| | ||
|
||
If the server experiences a large number of new sources signing up at | ||
once and is overloaded with submissions, the journalist will flag your | ||
message on their end and you will see the message below. They can't | ||
write a reply to you until you've seen this message for security | ||
reasons. This will only happen the first time a journalist replies and | ||
with subsequent replies you will skip this step. Click **Refresh** or | ||
log in again to see if a journalist has responded. | ||
once and is overloaded with submissions, you may see the message below: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I propose changing overloaded to "experiences a surge in traffic" or "is experiencing high traffic volume" There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah I can see why :), reworded in 53e978e. |
||
|
||
|Check for an initial response| | ||
|
||
Repeat these steps to continue communicating with the journalist. | ||
This will only happen once for a given codename. It means that the journalist | ||
wants to reply to your submission, but for security reasons, they cannot do so | ||
until you've seen this message. Log in again at a later time to see if the | ||
journalist has responded. | ||
|
||
Repeat these steps to continue communicating with the journalist. | ||
|
||
.. |Source Interface Security Slider Warning| image:: images/manual/securedrop-security-slider-warning.png | ||
.. |Security Slider| image:: images/manual/source-turn-slider-to-high.png | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: git is the protocol. I think using gitlab vs torproject.org from a dns perspective makes it easier, but that point may be moot if they are reading this from docs.securedrop.org. For that reason, i suggest dropping "If you routinely use Git" from the sentence
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reworded in 53e978e. I'm not very fond of having this here at all given the lack of verification instructions. Perhaps we should just describe the email service and leave it at that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Circling back to this comment, if #4880 (comment) is overly technical, using git(lab) could, in some cases, also be considered overly technical.
The GitLab hosting resolves most of the issues the email approach solves (how to get tor if torproject.org is blocked). I'd be curious, from a source perspective, if there would be reticence to use email since they would either use their personal account or create a new one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Guys, what are the chances Torproject will be blocked—or, that anyone will be able to make sense of Gitlab, or know what GIt is? We're making a lot of assumptions here and designing for extreme worst-case scenarios. There should be a content fork in there, for folks in at-risk locations where Tor may be blocked... but by default, I feel strongly that users need to be directed to the Tor website. Mostly because there is also helpful content framing what Tor is/does, etc.
"Why shd I trust an installation from a place like this 'gitlab' place you're directing me to, vs the company that owns and makes Tor?" is the other reason. Non-technical folks just don't have a mental model of how the FOSS ecosystem works, and base their opsec decisions around anecdotal impressions we're trying to gently re-shape.
Also, while folks in poorer regions may be using Linux, a majority of users will not. Nor will they be able to make sense of an installation that is not packaged for consumer-grade interaction.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that the guide currently only speaks to the "likely to be monitored" scenario. That said, this is mostly old text, and I'm personally not fully convinced it's helpful. We say in the intro that the user should locate themselves in a place with Internet access they don't typically go to. Isn't that then also the best place to download Tor from? And in that case, are these instructions helping to mitigate that risk?
This may be lost in the diff, but my main goal with this edit was to fix obviously broken things, like the GitHub link that no longer works. While I understand how all these issues with the original text stand out during a review, I would recommend landing this change, then filing another issue for actually thinking through this Tor browser download scenario more carefully, and tailoring our advice to different audiences.