Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Google Summer of Code 2018 Ideas
About SecureDrop project
SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. It was originally created by the late Aaron Swartz and is currently managed by Freedom of the Press Foundation.
The project has a few different parts, the actual web application is a Python Flask application which gets deployed in the news organizations along with a monitoring service on a second computer. The admin and journalists access the system using separate laptops and Tails based USB sticks. The access to the application is only available over Tor network.
Contacting the developers and rest of the community
We use a gitter channel and a forum for all the communication related to the development of the project. We also have daily video stand up meetings at 18:00UTC. Any interested student should come to the gitter channel and say "Hi". The developers of the project are located in different timezones all across the world, so it may take sometime before someone replies on the channel.
Please make sure that you are joining the channel from a computer (than any mobile phone), it will help you to type easily. Also make sure that you type full English words than any SMS like language.
Links to read before everything else
Getting started with development of SecureDrop
Tips for writing GSoC application
Please mention SecureDrop in the title of your student application. Use the student template from the PSF to write your application. Remember to showcase all of your previous Open Source contribution and also provide the URL of your blog.
The following are the project ideas we already have. Students can choose any of the following to work, or they can come the gitter channel mentioned above to discuss any new ideas.
Improve monitoring of SecureDrop source interfaces
- Description: We currently use Nagios to monitor source interfaces. We send alerts to SecureDrop administrators when we detect their source interfaces are down. Unfortunately the current approach leads to a lot of false positives, which causes admin frustration and confusion. The student’s project would be to develop an improved monitoring solution using the Tor stem library and integrate it into the securedrop.org directory (being migrated to Django).
- Skills required Python, Django, stem
- Difficulty level: Intermediate
- Related links to read: stem documentation
- Potential mentors: redshiftzero, kushaldas
Add SecureDrop packages to Debian GNU/Linux and tails
- Description Rewrite ansible based package creation for the SecureDrop app into proper Debian GNU/Linux packages and submit them to Debian GNU/Linux. After the packages are part of the official Debian GNU/Linux distribution, propose them for integration in tails.
- Skills required Ansible, Python, Debian GNU/Linux packaging
- Difficulty level Intermediate
- Related links to read pdf-redact-tools added to Debian GNU/Linux, pdf-redact-tools package proposal to tails
- Potential mentors Loïc Dachary, heartsucker, kushaldas
Reproducible builds for SecureDrop Debian packages
- Description: The Debian packages used for SecureDrop are built from a signed git tag on the GitHub repository, then distributed via an apt repository. The package build process is not reproducible, however, so users who wish to verify the integrity of the packages beyond trusting the SecureDrop Release Signing Key cannot easily do so.
- Skills required Debian, packaging, diffoscope
- Difficulty level: Intermediate
- Related links to read
- Potential mentors: conorsch, kushaldas
Prototype client-side cryptography for use in SecureDrop
- Difficulty level: Hard
- Potential mentors: redshiftzero, emkll
Prototype Greenfield Re-Design of the Logging story with Elasticsearch-Logstash + OSSEC
A SecureDrop production deployment today currently utilizes a second physical instance dedicated to running ossec HIDS and sending out email alerts. The current design is frail and barrages the administrator with messages that are not directly actionable. Internally at FPF, we have a lot of experience with the ELK stack (Elasticsearch-Logstash-Kibana) coupled with Elastalert for generating actionable alerts. We need someone to go one step further, do further research, and integrate a HIDS (OSSEC the first likely candidate) into the system and get actionable alerts firing again!