What if … SecureDrop was exclusively using a tails derivative ? In this tails derivate there would be all packages SecureDrop needs. For OSSEC, app server, admin key, SVS, journalist key. The tails installer would show a choice for the type of installation (mon, app, svs, journalist, admin) and store site-specific in its persistent partition.
We start the installation with the admin key. When it starts a browser shows a fullscreen web page (flask based) with all values found in site-specific. We plug the USB key on the app server (which is has not been installed with anything yet) and we install tails on the disk (the installer is modified to accept non-removable media as a valid installation option). We select the “app” installation type and when it is complete the journalist-aths + source-ths + app-ssh-ths + local IP are persisted on the admin key.
We then move the admin key to the mon server and install from the “mon” installation type using the “app” server local IP stored on the admin key. Andthe mon-ssh-ths is persisted to the admin key. And we can use ssh mon and ssh app from the admin key.
And we finally install the SVS on a USB key this time. And the journalists key is created from the web interface on the admin key which can ssh to the app to create it and create the USB key with links to the journalist + source interface using ths/aths collected during the installation of the app and stored on the admin key.
- There is only one distribution (tails) instead of two (ubuntu/tails)
- The sysadmin installing SecureDrop is required to
- enter all parameters (i.e. ./securedrop-admin sdconfig)
- plugin the admin key on each machine in sequence, click install + the role ofthe machine
- The journalist keys are created from the admin key, including their credentials
- All updates and installations are from debian packages + a configuration file with the initial values entered by the user, there is no ansible
- The SVS could be packed with tools like pdf-redact-tool or a search engine and pretty much everything already packaged in Debian GNU/Linux that could be useful to work offline.
- The app / mon reboot daily and are amnesic which is presumably better for security than a long lived system like Ubuntu
- maintaining a tails derivative is difficult https://tails.boum.org/contribute/derivatives/
I realize this is significant work. And also that it’s going in a direction that is orthogonal to where we’re currently spending most of our efforts. I’m not saying we should do that. Maybe there is something better. Maybe it’s not such a good idea overall. But maybe there is something to explore. I specially like that
- the sysadmin experience is simplified to the minimum (i.e. entering parameters + booting on USB keys + choosing the type of install).
- the journalist experience with the SVS improves because there are more tools
Given the how busy the FPF staff is (and is going to be in 2018) it is unrealistic to even think of such a radical change of direction. But if people in the community did something like this and provided a convenient upgrade path for existing SecureDrop users, it could lead to a much better experience (for the journalist because the SVS has many more features) and for the admin (because the admin key is a central point for server install & upgrades and journalist + SVS key creation & upgrades).
Food for thought