SecureDrop appliances

Bonjour,

This is related to the discussions about server containerization and the SecureDrop workstation and proposing an intermediate step to improve the situation. In a nutshell, the idea is to not modify the software stack but package the hardware differently.

On the server side, the firewall, application server, monitoring server and the admin workstation could be presented as a single appliance. We would still have four different machines, physically separated, but they would be be packaged together. The appliance would have one RJ45 cable attached to it, going to the firewall, within the appliance and connected to the news organization network. The wiring of the app / mon servers would be internal to the appliance. The admin tails USB key, when plugged in, would go the the admin workstation, a machine not otherwise used, also within the appliance.

The journalist workstation and the secure viewing station would be bundled into one appliance, with one RJ45 attached to the journalist workstation and two USB ports to plugin the transfert key and the journalist tails key. The secure viewing station would have only one USB port for the transfert key. And both machines would share a display port, keyboard and mouse since they can’t be used at the same time.

That’s a lot of machines and if we’re using NUC or similar hardware, the appliances will not be small. But the goal is not to make something small, it is to make something easier to use and maintain. The size problem will be resolved once server containerization and the SecureDrop workstation are implemented.

Why not just focus on implementing those ? Why bother with this intermediate step ? Because it can be implemented quickly (less than three months). From a user perspective the changes it introduces prepare the ground for containerized servers (the admin will just be happy that it all fits in a smaller box but will not see a real difference otherwise) and the qubes based journalist workstation (the journalists will be super happy to see that they gain the ability to interact in a controlled way between the secure viewing station).

User stories:

  • As a SecureDrop Admin working in a news organization I configure a single appliance using the tails admin key instead of installing and wiring together machines that have not been tested.
  • As a SecureDrop Admin working in a news organization I can provide a single appliance to a journalist, instead of a journalist workstation (or trying to ensure the journalist tails key works with the journalist own laptop) and a secure viewing station.
  • As a SecureDrop support person I can test the appliance before it is installed in a news organization and resolve the problems without bothering their SecureDrop admin.
  • As a SecureDrop support person I can deliver another appliance to the news organization who experiences problems that cannot be fixed remotely, instruct them to backup the previous appliance submissions, setup the new and restore the backup.
  • As a SecureDrop security engineer I am in a better position to verify the server and journalist appliances implement the recommended measures.
  • As a SecureDrop security engineer I can come up with variations in how the appliance is assembled and which hardware it actually contains without imposing that burden on the journalist or the sysadmin of the news organization.
  • As a SecureDrop developper I do not need to document every details to install the inner components of the appliance because I can require the person assembling the appliance is more familiar with the software / hardware than the typical SecureDrop Admin working at a news organization. This leads to a documentation that is easier to maintain.
  • As a journalist using SecureDrop I have only one machine to deal with instead of two.

I’ve been thinking about this in the past few weeks only and maybe I overlooked something important. But I’m sure of one thing: we need to find a way to make incremental progress on the journalist workstation and the server appliance. It would be wrong to not deliver something in the next three month.

What do you think ?