I confirm the demo does not work for me either after following the instructions at https://securedrop.org/demo. I’ll setup a demo so you can try it.
@conorsch any idea why the demo would fail ? It needs to be upgraded to 0.4 anyway so it’s probably easier to just do that
Setting up a demo server with the following:
- bind demo.securedrop.club to 145.239.157.171
- install securedrop applications
git clone -b release/0.4 http://github.com/freedomofpress/securedrop sudo apt-get update sudo apt-get install -y build-essential libssl-dev libffi-dev python-dev virtualenv
FYI, a few days ago, I tried to test the demo, but as far as I remember, it was a 404… dunno wether this could be linked, or wether I’m confused by the fact that https://demo.globaleaks.org/#/?lang=en doesn’t respond either…
The demo source interface is available for demo at http://akasotp3vmzy2qve.onion/ and the demo journalist interface at
HidServAuth xpdip57v6gfyp64d.onion F9Yr/a4DfjNtMa5yqiGtoR
Username: journalist
Password: WEjwn8ZyczDhQSK24YKM8C9a
Can’t scan the barcode? Enter following shared secret manually: gwl2 c5xk 7cab hfr5
@manhack I have tested the above to work with a tor browser. If you need instructions on how to declare
HidServAuth xpdip57v6gfyp64d.onion F9Yr/a4DfjNtMa5yqiGtoR
so that you can access http://xpdip57v6gfyp64d.onion with your tor browser, please let me know. I just added it to the tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc file on my machine but it may be different for yours.
@conorsch @redshiftzero FYI the above demo is setup on three virtual machines : app.securedrop.club, mon.securedrop.club and demo.securedrop.club (in the role of the admin workstation). Unless you have a better idea I’ll document the setup so that it can be community maintained whenever a new SecureDrop version is published.
Thanks for the detailed report, @dachary, and for jumping in with a quick spin-up. The demo hosted on the securedrop.org website is quite a hack, and has been around for a long time. I’d prefer simply to remove it, and direct folks looking to take the interface for a spin to our developer documentation, where they can create local VMs with the very latest code and try everything out.
We’ve started a complete rewrite of the securedrop.org website—due to land in a few months—and the new site will have a much more cohesive documentation flow. We don’t plan to include a hacky “demo” of the SecureDrop interface on the new site.
For now, I’m going to tear down the non-working hacky demo and 302-redirect those links to the GitHub repository.
This is good for people with some development / admin skills. What if a journalist who never heard of Vagrant (and is presumably not very excited by the prospect of installing it) wants to try the journalist interface ? Experimenting with the source interface is comparatively easy: she/he can go to an existing SecureDrop installation.
After some chat with @conorsch & @redshiftzero the best option seems to install a short lived demo using the development environment, on a virtual machine at demo.securedrop.club. This will eventually be replaced by another demo based on an actual hardware based installation and the demo.securedrop.club demo will be trashed. Working on that short lived thing now:
openstack --quiet server create --image 'Ubuntu 17.04' --flavor 's1-4' --key-name loic --wait demo
Update gandi.net with demo.securedrop.club source.demo.securedrop.club and journalist.demo.securedrop.club pointing to the allocated IP v4 and ssh to it.
sudo apt-get update sudo apt-get install -y vagrant vagrant-libvirt vagrant-mutate libvirt-bin ansible export VAGRANT_DEFAULT_PROVIDER=libvirt vagrant plugin install vagrant-libvirt vagrant box add --provider virtualbox bento/ubuntu-14.04 vagrant mutate bento/ubuntu-14.04 libvirt sudo usermod -a -G kvm ubuntu reboot
ssh again
git clone -b master http://lab.securedrop.club/main/securedrop.git cd securedrop vagrant up --provider libvirt development
Create the nginx reverse proxy
sudo apt-get install -y nginx cat > /etc/nginx/sites-available/default <<EOF server { listen 80; server_name source.demo.securedrop.club; access_log /var/log/nginx/source.demo.securedrop.club.access.log; error_log /var/log/nginx/source.demo.securedrop.club.error.log; root /usr/share/nginx/html; index index.html index.htm; ## send request back to apache1 ## location / { proxy_pass http://127.0.0.1:8080; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; proxy_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { listen 80; server_name journalist.demo.securedrop.club; access_log /var/log/nginx/journalist.demo.securedrop.club.access.log; error_log /var/log/nginx/journalist.demo.securedrop.club.error.log; root /usr/share/nginx/html; index index.html index.htm; ## send request back to apache1 ## location / { proxy_pass http://127.0.0.1:8081; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; proxy_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } EOF systemctl restart nginx
Create the admin user and run the server
cd securedrop $ vagrant ssh development $ cd /vagrant/securedrop $ ./manage.py add-admin Username: journalist Password: WEjwn8ZyczDhQSK24YKM8C9a Confirm Password: WEjwn8ZyczDhQSK24YKM8C9a Will this user be using a YubiKey [HOTP]? (y/N): User "journalist" successfully added
If the barcode does not render correctly, try changing your terminal's font (Monospace for Linux, Menlo for OS X). If you are using iTerm on Mac OS X, you will need to change the "Non-ASCII Font", which is your profile's Text settings. Can't scan the barcode? Enter following shared secret manually: jhco go7v cer3 ej4l
Get the private key
vagrant ssh -c 'cat /vagrant/securedrop/tests/files/test_journalist_key.sec' development -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v2.0.19 (GNU/Linux) lQcYBFJZi2ABEACZJJA53+pEAdkZyD99nxB995ZVTBw60SQ/6E/gws4kInv+YS7t wSMXGa5bR4SD9voWxzLgyulqbM93jUFKn5GcsSh2O/lxAvEDKsPmXCRP1eBg3pjU +8DRLm0TEFiywC+w6HF4PsOh+JlBWafUfL3vwrGKTXvrlKBsosvDmoogLjkMWomM KBF/97OKyQiMQf1BDJqZ88nScJEqwo0xz0PfcB04GAtfR7N6Qa8HpFc0VDQcILFB 0aJx5+p7nw1LyR37LLoK8JbEY6QZd277Y0/U+O4v6WfH/2H5kQ8sC+P8hPwr3rSg u3SVbNRasB4ZHFpJZR9Kv21zmQb9U3rrCk2yg3Wm0qtZ0S5CECAAwG2LQkKouRw2 ak+Y8aolHDt6a785eF0AaAtgbPX4THMum/CNMksHO0PBBqxR+C9z7WSHXFHvv+8B 5nRccS4m4klyYTbZOOJ45DuC3xDjTRwzzpkYhqf4pLAhwF3spKZsAczAFPmDyxFf CyIBiMZSK/j8PMJT1X5tgpL1NXImNdVIPV2Fy+W7PkNfG2FL/FQIUnK6ntukLW/7 hV6VHcx52mMn1pVUc6v80LEb4BMDz41vlj9R8YVv8hycPtnN0QL5gIME1n7jbKJf yfWxkvBXMINDgHK/RysRMP6FXA6Mw65BGNIuO0Il0FTy12HuKI/coEsG2QARAQAB AA//Q5Azhy0IDDfqgarsg+4U1xZPv1MEU1iozv8dmpInYx7JqHlUvHUMl6jvWPsM 9jGUtU7t3en3n8ngoCR0LUmH8uLf8IXWL2s2TIjmA7AcHxLDWslqEPD+6Oq8GYCJ OVd70udCBGRgaAmnB4NX/XGJVImHTXaQ2Obp/fO2xRXdoYPzDEW3UFvvGI9+KRk3 SbXlVvkKDijVnh+mlABgTZzdG2s5oOFOxxr5jlMDNvJkvMP3d39e5KRpsCo6s46A zbItpX5el+v8ACnboJamIod2lYW7g+zMKhq8LWA3mt2mGGbNYEdxVkZNkY0BhP8V UEvHc4EHFLGuxqS5RjM51A9oJk6CES2rs8Q68rXuUKpIoolq4KCNSQvetOGLPiks EICbJcC+3pwg1OhOCbD2nV8kHHSiuEbQCt4UBNzw+g4ponW9IwadKz1WSGpdRlzi Ksn+jpAzIi8b50tEIFqCMEF/zH+V1dU3TtVmKpI4KshBtmvkWt4Ea460Ve8q5Oku 4AG7Iujiz/KAtWYU9AnzzalyB4Zy0yGqeNZ0faxnewtVSpqhJ+Qcxv6IuOcNYZow 1ese5ncRh3OPwskyRhl+9B9YOEVky+vUFa2IB5K/0CnFC86MMjlJ97uRJJ+4ompV rWCSpNifBgjPc+7q1jLqJMkE5pc45ZCEIvR9SvHOjI/uSU8IAMFtM8WW6LXmb7z0 intLj4rPSgnic5PtQP/XghiqNeMLVSRfTo+xO0IqMIRFEeCjDiQ74nh4k6WDdQpG Uq3+5SeV1VJSRLpjBUZBEdX0XBhzS5XvKVzCnXSVl7JzL9mGHk1QWziLLimlu49R m3qt5g30UkX56A6aJ6VpJc4P5wwV9Mxnjp4B/D34xGEfX7YaNYE859/y9NhXlHuV dd0esfYnTV4UPifBJvopeRy0P/RICkozE9sgRgg1RVfDWEyLcljCQNgxrra3sMLY jlK3wvAEdXf1Gb1024Knbp5u8gTZgqh/PREDXI2eqdCSuLdygcJAsGJHkdZtYUSK epWGGicIAMqvOd6wvfEvz2Comn/t8gwuAv49TUOMGMTmpR4VSuKePZ8f+olUqy4X Fo0wCzq+K+DYPH+JL9S9nXW29E20EM6Khd+lREMNcUf/G2Cb3mjfz27GyhRiACYq Nrvsn0pHstXTJqnQyznZlbgGmk+gzfsK9aMT3W9XZFjODDsHEvHYF0zcO212AjCj COJuZePP44eDqiu9Owxv15KwqtgHlaVz5kg9j1cA58ppmd/lRvep7aR3tuuKiXyb htunNaitKTwB475oO+W/x7RsL9oZh85i8R+YSzyqabEg7VNTazk82boo2sDsuaiu ZQspK6juGR50vDWiAJmuGYWzEGmvdv8IAJLYwi82TLg9OcDwaoBl295b/Pc5ar21 LRSDPf//qAsXrN8YkrOm7BsfRp9tMzgCEpkCgDj3JZDLh1TlmX8Gmsa/xVq+bfNP 8W0ELulOrcCQ0aAQxrJRCHjnUAzcI2tjzT6961PrrEYTsy7tlZ7mYZ2SmPyrPZEh SNVnO8H3rDaBXaqqLOi+SzrSkYn9DjA+IEp4Pi1J8mZWs5vV662xrqnHPhzNKf6Y dAAF5GlXOrEqCj2qF/i79P9kh5KHr37ZsgFl11zesVEyezL2sScv6KmeRjz3O3Nk TagLhJTzBNoUZymiq5CQlY2nn5c5UeFx9lpRHnJRkv9p8adspqwYKguBi7Q2U2Vj dXJlRHJvcCBUZXN0L0RldmVsb3BtZW50IChETyBOT1QgVVNFIElOIFBST0RVQ1RJ T04piQI4BBMBAgAiBQJSm8UDAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAK CRDMQO8SKCcUQReED/4uGk1OGSJHip2EsgAPrwL6L3aT9FMKt+eQCLoj5DdoH3tY 0mXGMP/0M/oIq2Y+q6BEXVNEYOy2QzTnnPqn965tqN/SZF1CNu/IYmxCJj7TSJi/ MuWtg7IebR8KvWLKJjW4PU5ybmB2hzyO3jTEzXY3j8bocGfx3Q8B6ot/MdK8ss5J rLSIPlgQHhyXloe4CTTk0alQbtt8KEp0kMXmqjrz66AsofwjzcezOn1PSc0S4tV7 0OkIEapevBcr7cnYQv3gWSXpK4zZNg9NZ5dLR73g64Lv+GqK0UBksueMfEEmx/uD Bd7/uxmz7jWFb3D9MBLCjAMQ+s8Kh8bJQ/HPMjIh8T9y8ek/dI5Il7ehFaci1yzT +qIPt7SArj3q4KR5lCNeIK7Bu8Kuu2VgfCRske2PJAQlauu7jO3XZcLSuihwTdLL se+WIdW6miyczJNAt1pHknHsdXANegJh7eoAy+ghFok7kZpYMTR/iy95EqNxAt6l LivYeyzUtfPjHjDpqPUtrZRGipqmFwIcTn5E/HokkViUSizx0Sd2LyJ2tox6a+az lreW4hRY5WVPclVeTynvAtMrSl1DEErRoVK/AZKnBgUEeDCd9g/EiRzOLrX5azb9 nCiFlLMeWWVmbefvnCXrXJqVQNrVZdelSZakJpJ/oQpKyv/5nU9pcgeVrzP68Z0H GARSWYtgARAA837/vToG+ChFhaJvczBfsYPG3Hfwre9v7Fi0Fuj8+vkpJixB7pJU zvpO8YkOo3c1849a038t9ey+xudZ2gUm+hJH7/JrtqIDsK77YGJxgr3wqaKFEsXH 4vmhCcyCS9vUwItUQi2ZteSkW5LxJfMEvdwUi4moOcOP/Hj9b13m6veRqwmcIjWX YXULN6p+I91Ub01v0mRyAHSWPpjH1DD46uHOLAPNqLOpFaxJ1nixn0/XfpJ35vSf 9kbpsvdGywGOkhZkWffw8cCsGyLFcvAkb1N0VRUl/BwgUHqUQkJJbPa+ylQamBNl oftGvvcBxxzSO1QcShlz35a4q8WNQAeb4y3F9YZl2wqMn+MrYHR8gig8/TnPsZIC XslVul8EqnORIbjRV6d/guwRe3kGdURCS2y+grRJHhdIxwWk3ijP6TeH1YYz4lPx bDZmRiscS8sQ55wyOaWPG4aYVccAUWeRrVTaolTQ8Pq0QAkGpaU9tTnAICz/kc/q n90z8hGTeljxMfP++iC7kh2/JqTh+1v+deH+TbhWgJYJlJzt3E9dIYeCMDkPpL49 KjMMPHwEiPQyRMV1GG98Q0gpjpCT4btfw6694HRQYWuP4wM+4wVpbFa9kSyc4pX/ DIvY/FqRyHz/ll7cFs9/omD0tEj6Ae4PQwNPhIu+tKSSX+9wBIw/nxcAEQEAAQAP /1bzlAmTridx4hmtftUIgjOW1i2mmwjRxwsERhMkUiqhTSN3jHfQQ37B/ezcv6B6 EocOOyXpdZUrXJkUxo5HZrrISm4SCIroYh727YdmwBgrEcTR52ljvVR9RheEs0a5 ksjLOGSFei1tH5Af8gNWO+w8qg2GM8+k2UcUQZRCWRKxI5CLVvkUYCGKNV5EgNT3 1Y4FfhgIjHlDKN/jmQBaGJlv1zr6hLdoqMm3g4qWAP/d+BsX3L9ZvcGpYwzoppwZ yzq5yk4ibyU1Y4AxM4cu4CPtDk7PxYe414VFsKnUl/nURx9jVzfVPWbRn1rURAtB bIWJLKz9V9aRMRMN8bnavbx5HrtGXanVzsGz1ZXlpnGAWeG2E2GFM42VQ1206gLn 15sB1ZIrzLSDoCRa4eL7agt0zOyJ7PNBT1qZDvmulva+amdvzPwBHIaIALSQVPap 17sO+bV6FN7dnHgKta1hWKdbeFJpoN0+TmIHAad/LO+qLeO0bA4/WgTXTN7uAiNG Tapp0x79xHVjC8JUF9tmArNVYQuybwBbZ2z3dYaYa+7dvdSGS9zUMWNwdGH2BnzQ LRGMyfQJAMXaivNdwHluuMuYyhBFstFhgH/4vYXLeJ2p0vdtFf8QqeFaEirHzBQX X8DJmfWySb1XcPsC7RUjgI+6rPNJZ53vjHQEr22QPFUhCADzoVVzPpLLIXJ+/Mee DA4vRg476cfCY+EW/cOu7kL+VzJZmgd7t06ZHU+TL1yDFkxajaJBQMz2RT5kLWtv FSf9cGPfdv7L6J9y7UiojTzdIFnJH5VDmo5ozntvJrUcmG5/vI2eyc9PAIX8Q+8v iKo2zFqs6+x+8gOES/3hZWHHC8rA2JsdJBk796vuWxgDIB67M2mA7L5qjyinkKrY cthDBNJ3PqfToFuvENS835hxluwyNQcaS1UTr39KD0qsXqvmmSZf/LVDBIJ89uXU pSY7hA0HSeWCA2haIxVzrzqPBlmZEagdqcfP9bsf4VsmuDZwYQkd9sgzWYqX2zed vXORCAD/2+wCvCrnoOn1U0yt6xjKCHe84IZh1jn0cnf1inSboHGjDU7otPWskWUF EVjdCFks5jR7jGaLUi85QfMQW4Sqbl1x9vFmk+xLVFxvrDibuDWg4JpuPyStvTCJ 6K7jda1bQI+p0TGg5g1o8fDaUTex9J1zNyJ+vzlN3zuvcOKPdRkPDppsd7noTBBm lZhoNus3w+7/MO8RrRBskcDfUefwHILvxBFh3VapQ2ke17l4UJJSkFabxSnOj/th j3B26L1d0oV3bly6faTKb22puR1l+/jRcOpX+pzroZGDpmdBjvRdctepDsWxeDxK 82Sw8NLkJ8pviD7MZ0BVK3q1aMQnB/4t7Ri0c+I1brdBtChELhYiXmU1+LMXs2GM dchHxJWpt0RhexHvIP1/mBwePr0uI2QVnA+UpZ/lAj14KxWje7K08FoRSLVsxZnx 6ArKiqROJEIF1xpAYf2OK9TffFVCvFCu9EQqx61TLgNhbXreAELM0e2dcf3iocFq VA+dgmk6X5HdRPujta9gQ1STrw/s6wQ4aRv+ionItuLv8zUpULxTK0gOAPTNEMCR HO31+RmR1nse8LGtgTotVqSRa6cmFBUCi8OJJSAY9233fZXwJl0FEFk2S52zrTCY QVz0jqDU4hQ+zZfI82Z9yOMFAK8wcVk+YbKV+agfHf5PfaDLz56Fg/CJAh8EGAEC AAkFAlJZi2ACGwwACgkQzEDvEignFEGn9w//eUnH3PnLNkDpS8tBHqkr5XWLLaG9 n5L4TBhEKJOBhNd6QfMtdbCNYZ9RgNMcx5pL070ExEwY5TeKfJvjsZlKhDQ3RtFV POtjr/SJ+FRInTQx6Y6h0jVvPikAyTe5HyJbKGVoafskAgAqYKb4rSqR4l3rVL2L KvHuz1CZo0+e6mbmlz5uk4CRsrKruwQWlYzlDHzafW1Uy2chbY6hE9vPzQmSRAHa mXpKOyRepnz2NwVYYjogKFgQ0pzrnFp8O3i4W4dT7mPiPZ/jJJhLB+hYL3sw6Aku oD9aKbF540JgWHKRQNasvmYoFOAxeAf+xiTcYOjt+yxphsqfXFttfgZdCXf6u7jN Pr8XsLFkSuMtv569KHJ/iK0z7kB1spGJHOitqopuUFrhN8kFKoeKx1zF1l4F7X36 PJjprxkxwaGtB6SyIrFNGHvKUCTsItWAsQgcvFfMehnSgAXPa6Ub7Mf0pL097wxD EcKuXJ+hASVC4mhhutgE67byK28Y+DPr7nGC9lE68+ioiQiTwNi32UmpQUF5m4Ul 3lbVO4covG55Vi9Ip4b57dOM5h0kW8Nkiczhw1avw33aZhKKmGWOIcApVNB4h/WZ rTtBQf+6XdgL6DTsX4EuicghcDq5BV5u/mIvFOA7MhDAdMlW7gw+JA2fWHh2TVGi d9X9on517X6qMDw= =E6hg -----END PGP PRIVATE KEY BLOCK-----
Add prominent warnings that this is a demo version
diff --git a/securedrop/journalist_templates/base.html b/securedrop/journalist_templates/base.html index 5365897f..11ccefc3 100644 --- a/securedrop/journalist_templates/base.html +++ b/securedrop/journalist_templates/base.html @@ -51,6 +51,11 @@ Powered by SecureDrop {{ version }}. ++This is a sample SecureDrop for demonstration purposes only. +
+
+ {% endblock %} diff --git a/securedrop/source_templates/base.html b/securedrop/source_templates/base.html index 0bf8caeb..cac6c3d9 100644 --- a/securedrop/source_templates/base.html +++ b/securedrop/source_templates/base.html @@ -38,6 +38,11 @@ Like all software, SecureDrop may contain security bugs. Use at your own risk. Powered by SecureDrop {{ version }}. ++This is a sample SecureDrop for demonstration purposes only. +
+
+ {% endblock %} diff --git a/securedrop/source_templates/index.html b/securedrop/source_templates/index.html index e5330f36..45122912 100644 --- a/securedrop/source_templates/index.html +++ b/securedrop/source_templates/index.html @@ -59,6 +59,11 @@ Like all software, SecureDrop may contain security bugs. Use at your own risk. Powered by SecureDrop {{ version }}. ++This is a sample SecureDrop for demonstration purposes only. +
+
+ <!-- Warning bubble to help TB users disable Javascript with NoScript.
Take a screenshot of the qr code, crop it and move the file to /usr/share/nginx/html/qr.png and copy the secret key to /usr/share/nginx/html/test_journalist_key.sec. Finally update the informations at /usr/share/nginx/html/index.html to match the above.
Add a static part to the nginx configuration
cat >> /etc/nginx/sites-available/default <<EOF server { listen 80; server_name demo.securedrop.club; access_log /var/log/nginx/demo.securedrop.club.access.log; error_log /var/log/nginx/demo.securedrop.club.error.log; root /usr/share/nginx/html; index index.html index.htm; } EOF systemctl restart nginx
- Verify the source can submit a document
- Verify the journalist can login with the provided credentials
- Verify the document can be decrypted using the private key
The IP of demo.securedrop.club is a failover OVH IP that is independant of the server. To reset the server to its current state:
openstack server delete demo openstack --quiet server create --image '2017-08-07-demo' --flavor 's1-4' --wait demo ssh ubuntu@demo.securedrop.club cd securedrop screen vagrant up --provider libvirt development vagrant ssh development cd /vagrant/securedrop ./manage.py run
@manhack the demo is setup on the clearnet, it would be great if you could give it a try. I tested it myself but … http://demo.securedrop.club/
Shoot, fixing… thanks for the report
147.135.193.226 is demo.securedrop.club and should work. It will take a few hours to propagate the DNS change. I assumed the 188.165.44.166 failover IP which is also bound to the server would also work but apparently not.
To upgrade the demo:
- ssh ubuntu@demo.securedrop.club
- screen -x
- C-^ to switch to the window running ./manager.py and Control-C
- C-^ to switch to the window with a shell in the securedrop repository root
- git fetch # get the latest from master
- git rebase # the commit adding a big red warning is rebased against the latest
- C-^ to switch to the window where ./manager.py was interrupted and ./manager.py run
It (finally) worked, thanks \o/
and its seems quite easy to use
Thanks for setting up the new demo sites, @dachary! I’ve updated the Demo page on the SecureDrop website to point to your new instances: https://securedrop.org/demo Ran through the setup instructions with the new auth info and was able to log in.