TALKinGOA: Transparency, whistleblowing... and computing
(too old to reply)
Frederick Noronha
2018-11-08 09:08:08 UTC
Talk Topic: Securedrop - The Open Source Whistleblower system
Talk Time: 7PM (seven p.m.)
Talk Date: 9th November
Venue: 91Springboard, 3rd Floor.
About Speaker: KushalDas is a staff member of Freedom of the Press
Foundation. He is a core developer of CPython and Tor network. He is also a
director at Python Software Foundation.
Minto adds: "I assure you that this is going to be an awesome talk :) "
Organised by the Free Software User Group (Goa). FSUG-Goa.


SecureDrop is an open-source software platform for secure communication
between journalists and sources (whistleblowers). It was originally
designed and developed by Aaron Swartz and Kevin Poulsen under the name
DeadDrop. James Dolanalso co-created the software.


After Aaron Swartz's death, the first instance of the platform was launched
under the name Strongbox by staff at The New Yorker on 15 May 2013.[7] The
Freedom of the Press Foundation took over development of DeadDrop under the
name SecureDrop, and has since assisted with its installation at several
news organizations, including ProPublica, The Guardian, The Intercept, and
The Washington Post.[8][9][10]


SecureDrop uses the anonymity network Tor to facilitate communication
between whistleblowers, journalists, and news organizations. SecureDrop
sites are therefore only accessible as hidden services in the Tor network.
After a user visits a SecureDrop website, they are given a randomly
generated code name.[7] This code name is used to send information to a
particular author or editor via uploading. Investigative journalists can
contact the whistleblower via SecureDrop messaging. Therefore, the
whistleblower must take note of their random code name.[4]

The system utilizes private, segregated servers that are in the possession
of the news organization. Journalists use two USB flash drives and two
personal computers to access SecureDrop data.[4][7] The first personal
computer accesses SecureDrop via the Tor network, the journalist uses the
first flash drive to download encrypted data from the Internet. The second
personal computer does not connect to the Internet, and is wiped during
each reboot.[4][7] The second flash drive contains a decryption code. The
first and second flash drives are inserted into the second personal
computer, and the material becomes available to the journalist. The
personal computer is shut down after each use.[4]

Freedom of the Press Foundation has stated it will have the SecureDrop code
and security environment audited by an independent third party before every
major version release and then publish the results.[11] The first audit was
conducted by University of Washington security researchers and Bruce
Schneier.[12] The second audit was conducted by Cure53, a German security

SecureDrop suggests sources disable JavaScript to protect anonymity.