Kushal Das4

FOSS and life. Kushal Das talks here.

kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion

SecureDrop development sprint in PyCon 2018

SecureDrop will take part in PyCon US development sprints (from 14th to 17th May). This will be first time for the SecureDrop project to present in the sprints.

If you never heard of the project before, SecureDrop is an open source whistleblower submission system that media organizations can install to securely accept documents from anonymous sources. Currently, dozens of news organizations including The Washington Post, The New York Times, The Associated Press, USA Today, and more, use SecureDrop to preserve the anonymous tipline in an era of mass surveillance. SecureDrop is installed on-premises in the news organizations, and journalists and source both use a web application to interact with the system. It was originally coded by the late Aaron Swartz and is now managed by Freedom of the Press Foundation.

How to prepare for the sprints

The source code of the project is hosted on Github.

The web applications, administration CLI tool, and a small Qt-based GUI are all written in Python. We use Ansible heavily for the orchestration. You can setup the development environment using Docker. This section of the documentation is a good place to start.

A good idea would be to create the initial Docker images for the development before the sprints. We have marked many issues for PyCon Sprints and also there are many documentation issues.

Another good place to look is the tests directorty. We use pytest for most of our test cases. We also have Selenium based functional tests.

Where to find the team?

Gitter is our primary communication platform. During the sprint days, we will in the same room of the CPython development (as I will be working on both).

So, if you are in PyCon sprints, please visit us to know more and maybe, start contributing to the project while in sprints.

Latest attempt to censor Internet and curb press freedom in India

A branch of the Indian government, the Ministry of Information and Broadcasting, is trying once again to censor Internet and Freedom of Speech. This time, it ordered to form a committee of 10 members who will frame regulations for online media/ news portals and online content.

This order includes these following Terms of Reference for the committee.

  • To delineate the sphere of online information dissemination which needs to be brought under regulation, on the lines applicable to print and electronic media.
  • To recommend appropriate policy formulation for online media / news portals and online content platforms including digital broadcasting which encompasses entertainment / infotainment and news/media aggregators keeping in mind the extant FDI norms, Programme & Advertising Code for TV Channels, norms circulated by PCI, code of ethics framed by NBA and norms prescribed by IBF; and
  • To analyze the international scenario on such existing regulatory mechanisms with a view to incorporate the best practices.

What are the immediate problems posed by this order?

If one reads carefully, one can see how vague are the terms, and specifically how they added the term online content into it.

online content means everything we can see/read/listen do over cyberspace. In the last few years, a number of new news organizations came up in India, whose fearless reporting have caused a lot of problems for the government and their friends. Even though they managed to censor publishing (sometimes self censored) news in the mainstream Indian media, but all of these new online media houses and individual bloggers and security researchers and activists kept informing the mass about the wrongdoings of the people in power.

With this latest attempt to restrict free speech over the internet, the government is trying to increase its reach even more. Broad terms like online content platforms or online media or news/media aggregators will include every person and websites under its watch. One of the impacts of mass indiscriminate surveillance like this is that people are shamed into reading and thinking only what is in line with the government, or popular thought .

How do you determine if some blog post or update in a social media platform is news or not? For me, most of things I read on the internet are news to me. I learn, I communicate my thoughts over these various platforms on cyberspace. To all those computer people reading this blog post, think about the moment when you will try to search about “how to do X in Y programming language?” on Internet, but, you can not see the result because that is blocked by this censorship.

India is also known for random blockades of different sites over the years. The Government also ordered to kill Internet for entire states for many days. For the majority of internet blockages, we, the citizens of India were neither informed the reasons nor given a chance to question the legality of those bans. India has been marked as acountry under surveillance by Reporters Without Borders back in 2012.

Also remember that this is the same Government, which was trying to fight at its best in the Supreme Court of India last year, to curb the privacy of every Indian citizen. They said that Indian citizens do not have any right to privacy. Thankfully the bench declared the following:

The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.

Privacy is a fundamental right of every Indian citizen.

However, that fundamental right is still under attack in the name of another draconian law The Aadhaar act. A case is currently going on in the Supreme Court of India to determine the constitutional validity of Aadhaar. In the recent past, when journalists reported how the Aadhaar data can be breached, instead of fixing the problems, the government is criminally investigating the journalists.

A Declaration of the Independence of Cyberspace

Different governments across the world kept trying (and they will keep trying again and again) to curb free speech and press freedom. They are trying to draw borders and boundaries inside of cyberspace, and restrict the true nature of what is it referring to here?.

In 1996, late John Perry Barlow wrote A Declaration of the Independence of Cyberspace, and I think that fits in naturally in the current discussion.

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather. -- John Perry Barlow

How can you help to fight back censorship?

Each and every one of us are affected by this, and we all can help to fight back and resist censorship. The simplest thing you can do is start talking about the problems. Discuss them with your neighbor, talk about it while commuting to the office. Explain the problem to your children or to your parents. Write about it, write blog posts, share across all the different social media platforms. Many of your friends (from other fields than computer technology) may be using Internet daily, but might not know about the destruction these laws can cause and the censorship imposed on the citizens of India.

Educate people, learn from others about the problems arising. If you are giving a talk about a FOSS technology, also talk about how a free and open Internet is helping all of us to stay connected. If that freedom goes away, we will lose everything. At any programming workshop you attend, share these knowledge with other participants.

In many cases, using tools to bypass censorship altogether is also very helpful (avoiding any direct confrontation). The Tor Project is a free software and open network which helps to keep freedom and privacy of the users. By circumventing surveillance and censorship, one can use it more for daily Internet browsing. The increase in Tor traffic will help all of the Tor network users together. This makes any attempt of tracking individuals even more expensive for any nation state actors. So, download the Tor Browser today and start using it for everything.

In this era of Public private partnership from hell, Cory Doctorow beautifully explained how internet is the nervous system of 21st century, and how we all can join together to save the freedom of internet. Listen to him, do your part.

Header image copyright: Peter Massas (CC-BY-SA)

Remembering John Perry Barlow

I dream of a day, and it is not a crazy dream, when everybody on this planet who wants to know all about that is presently known about something, will be able to do so regardless of where he or she is. And and I dream of a day where the right to know is understood as a natural human right, that extends to every being on the planet who is governed by anything. The right to know what it’s government is doing and how and why. -- John Perry Barlow

I met John Perry Barlow only once in my life, during his PyCon US 2014 keynote. I remember trying my best to stay calm as I walked towards him to start a conversation. After some time, he went up on the stage and started speaking. Even though I spoke with him very briefly, I still felt like I knew him for a long time.

This Saturday, April 7th, Electronic Frontier Foundation and Freedom of the Press Foundation organized the John Perry Barlow Symposium at the Internet Archive to celebrate the life and leadership of John Perry Barlow, or JPB as he was known to many of his friends and followers.

The event started around 2:30AM IST, and Anwesha and /me woke up at right time to attend the whole event. Farhaan and Saptak also took part in watching the event live.

Cory Doctorow was set to open the event but was late due to closing down of SFO runways (he later mentioned that he was stuck for more than 5 hours). In his stead, Cindy Cohn, Executive Director of the Electronic Frontier Foundation, started the event. There were two main panel sessions, with 4 speakers in each, and everyone spoke about how Barlow inspired them, or about Internet freedom, and took questions after. But, before those sessions began, Ana Barlow spoke about her dad, and about how many people from different geographies were connected to JPB, and how he touched so many people’s lives.

The first panel had Mitch Kapor, Pam Samuelson, Trevor Timm on the stage. Mitch started talking with JPB’s writing from 1990s and how he saw the future of Internet. He also reminded us that most of the stories JPB told us, were literally true :D. He reminded us even though EFF started as a civil liberties organization, but how Wall Street Journal characterized EFF as a hacker defense fund. Pam Samuelson spoke next starting with a quote from JPB. Pam mentioned The Economy of Ideas published in 1994 in the Wired magazine as the Barlow’s best contribution to copyrights.

Cory Doctorow came up on stage to introduce the next speaker, Trevor Timm, the executive director of Freedom of the Press Foundation (FPF). He particularly mentioned SecureDrop project and the importance of it. I want to emphasize one quote from him.

It’s been observed that many people around the world, billions of people struggle under bad code written by callow silicon valley dude bros, those who hack up a few lines of code and then subject billions of people to it’s outcomes without any consideration of ethics.

Trevor talked about the initial days of Freedom of the Press Foundation, and how JPB was the organizational powerhouse behind the organization. On the day FPF was launched, JPB and Daniel Ellsberg wrote an article for Huffingtonpost, named Crowd Funding the Right to Know.

When a government becomes invisible, it becomes unaccountable. To expose its lies, errors, and illegal acts is not treason, it is a moral responsibility. Leaks become the lifeblood of the Republic.

After few months of publishing the above mentioned article, one government employee was moved by the words, and contacted FPF board members (through Micah Lee). Later when his name become public, Barlow posted the following tweet.

Next, Edward Snowden himself came in as the 4th speaker in the panel. He told a story which is not publicized much. He went back to his days in NSA where even though he was high school drop out, he had a high salary and very comfortable life. As he gained access to highly classified information, he realized that something was not right.

I realized what was legal, was not necessarily what was moral. I realized what is being made public, was not the same of what was true. -- Edward Snowden.

He talked about how EFF and JPB’s work gave direction of many decisions of his life. Snowden read Barlow’s A Declaration of the Independence of Cyberspace and perhaps that was the first seed of radicalization in his life. How Barlow choose people over living a very happy and easy life, shows his alliance with us, the common people of the world.

After the first panel of speakers, Cory again took the stage to talk about privacy and Internet. He spoke about why building technology which are safe for world is important in this time of the history.

After a break of few minutes, the next panel of speakers came up on the stage, the panel had Shari Steele, John Gilmore, Steven Levy, Joi Ito.

Shari was the first speaker in this group. While started talking about the initial days of joining EFF, she mentioned how even without knowing about JPB before, only one meeting converted Shari into a groupie. Describing the first big legal fight of EFF, and how JPB wrote A Declaration of the Independence of Cyberspace during that time. She chose a quote from the same:

We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.

Later, John Gilmore pointed out a few quotes from JPB on LSD and how the American society tries to control everything. John explained why he thinks Barlow’s ideas were correct when it comes to psychedelic drugs and the effects on human brains. He mentioned how JPB cautioned us about distinguishing the data, information and the experience, in ways that are often forgotten today.

Next, Steven Levy kept skipping many different stories, choosing to focus on how amazingly Barlow decided to express his ideas. The many articles JPB wrote, helped to transform the view of web in our minds. Steven chose a quote from JPB’s biography (which will be published in June) to share with us:

If people code out for eight minutes like I did and then come back, they usually do so as a different person than the one who left. But I guess my brain doesn’t use all that much oxygen because I appeared to be the same guy, at least from the inside. For eight minutes, however, I had not just been gratefully dead, I had been plain, flat out, ordinary dead. It was then I decided the time had finally come for me to begin working on my book. Looking for a ghost writer was not really the issue. At the time, my main concern was to not be a ghost before the book itself was done.

I think Steven Levy chose the right words to describe Barlow in the last sentence of his talk:

Reading that book, makes me think that how much we are going to miss Barlow’s voice in this scary time for tech when our consensual hallucination is looking more and more like a bad trip.

When you talk to Dalai Lama, just like when you talk to John Perry Barlow, there is a deep sense of humor that comes from knowing how f***** up the world is, how unjust the world is, how terrible it is, but still being so connected to true nature, that it is so funny. -- Joi Ito

Joi mentioned that Barlow not only gave a direction to us by writing the declaration of the independence of cyberspace, but, he also created different organizations to make sure that we start moving that direction.

Amelia Barlow was the last speaker of the day. She went through the 25 Principles of Adult Behavior.

The day ended with a marching order from Cory Doctorow. He asked everyone to talk more about the Internet and technologies and how they are affecting our lives. If we think that everyone can understand the problems, that will be a very false hope. Most people still don’t think much about freedom and how the people in power control our lives using the same technologies we think are amazing. Talking to more people and helping them to understand the problem is a good start to the path of having a better future. And John Perry Barlow showed us how to walk on that path with his extraordinary life and willfulness of creating special bonds with everyone around him.

I want to specially thank the Internet Archive for hosting the event and allowing the people like uswe who are in the cyberspace to actually get the feeling of being in the room with everyone else.

Recording of the event Header image copyright: EFF

How to leak information securely?

There are times when one may have access to the information which can be very important for the world to know. But, sharing any such information safely to journalists is always a risky task. In the modern era of Internet communications, it is, on one hand, very easy to share documents over Internet, and on the other hand, easy for the government/private organizations to track the source using just the metadata. For example, we know that GPG can encrypt our emails properly and no one can read the content, but one can easily figure out when someone mailed a journalist or vice-versa. Often, that information is enough to deanonymize a source.

SecureDrop is a free software project from Freedom of the Press Foundation which helps journalists and whistleblowers by providing an platform to share information anonymously. Read the end of the blog post to find out links to the different news organizations and SecureDrop. You may want to visit the URLs only using Tor browser (explained below). Even if you are just visiting the sites, your network admin can monitor which sites you are visiting, and the same goes for your home ISP (Internet Service Provider).

In this blog post I am going to talk about a few points to keep in mind while thinking/searching or actually leaking the information when using SecureDrop.

  • DO NOT SEARCH OR VIEW anything on your WORK NETWORK This is the most important point to start with. Make sure you are not researching or viewing any website which you want to contact in future while you are on your office network. This also means you are not supposed to use any of the office provided devices. Always use personal devices.

  • Make sure that the documents you want to share does not have anything which can identify you directly. For example if it has your employee code or any such unique number/name written on it.

  • Go to a public wifi place (for example, a coffee shop), and use that network. Once again, please do not use work or home network.

  • Use Tor Browser Download Tor Browser at your home computer and only use that to do any kind of research. Tor browser is a web browser pre-configured with Tor network so that it can make you anonymous. Tor Browser by default uses duckduckgo.com as the search engine. Duckduckgo do not keep track of what are you searching.

  • Download Tails OS, this can be installed on a USB drive. Remember that using Tails is harder than just using Tor browser in your daily computer. So, you will have to go through a few steps to install and use Tails. Tails uses the Tor network for all traffic by default. Use this on a personal laptop, and visit any public network space (for example coffee shop or shopping mall) and use their free wifi to upload the real documents. Now, we do maintain a directory listing of all the SecureDrop instances. Open this URL using Tor browser. The .onion addresses given in the site can only be opened using the Tor browser.

As I mentioned at the beginning of the post, SecureDrop is a free software which is developed by an active community, the source code is hosted at github. The primary application is written in Flask, and various other Python modules. Feel free to look at the issues, and contribute to the project as you wish.

Using Haven app to secure your belongings

On 22nd December, Edward Snowden (President, board of Freedom of the Press Foundation) announced a new project called Haven, which is built in collaboration between The Guardian Project and Freedom of the Press Foundation. Haven is an Android app which will turn any Android phone into a monitoring system to watch over your laptop, or your house.

The problem Haven is trying to solve is an old one. How do you make sure that no one is tampering with your hardware (or secretly searching your house) while you are away? There is no easy and 100% secure solution, but Haven enables us to see and record what is happening. It uses all the available sensors including microphones (generally there are 3 of them), accelerometer, and camera.

How to install Haven on your phone?

I’ve been wanting to try this app for some time, but I didn’t have any old Android phones. So yesterday, as part of new year celebration, I went and bought a new Android phone (around $100) to install Haven. But, remember that Haven can be installed on cheap $50 burner Android phones too (and this is one of the goal of the project). So, feel free to use whatever is available to you.

The project is still in Beta state, and it is available on Google Play Store, and F-Droid store (nightly beta builds). Remember that now there are fake Haven apps in the Google Play Store, so check twice before you install. The original app is published by The Guardian Project.

If you want to use F-Droid like me, add this new a new repository with the following URL.You can do this from F-Droid settings, in the repositories section.

https://guardianproject.github.io/haven-nightly/fdroid/repo/

After adding the repository, refresh all the repositories by clicking the refresh button, then you can install the latest Haven. I have installed the version mentioned in the following screenshot. Remember that Haven can use another app called Orbot to provide remote access to the logs over Tor, but the Orbot from the Play store kept crashing for me, so I installed the latest Orbot (15.5.1-RC-2-multi-SDK23) from the F-Droid store. I am using the 0.1.0-beta-7 version of Haven.

Configuring Haven

You start Haven, a greeter window will welcome you. Swipe left to move to the next windows of the configuration wizard.

In the first configuration window, you will have to setup which noise level should fire up an alert. This totally depends on where you want to keep your phone (on watch). You can start with the default value and then tweak it from there if you’re not getting the alerts you want.

Then you will have to set the motion level. This will detect if someone moves the phone. For example, if you keep the phone on top your laptop, or a document file, there is no easy way to access the laptop or document without moving the phone first.

Next, you can provide a phone number where you may want to receive notifications, either over SMS or Signal messenger.

After the initial configuration wizard, you can click on the settings button in the application. The first thing to do here is to set which number Haven should use to send Signal notifications.

You will need two phone numbers with Signal enabled. One is your primary number, where you will receive the notifications. You will put this number in the Notification Number (Remote). The second number is which Haven will use to send notifications. Put this number to the Signal Number (Local). Best way is to put the second SIM into the same phone of Haven.

Next, click on the REGISTER button. The Signal app on that number will receive a verification code over SMS, you will have to enter that after clicking the VERIFY button.

You can also enable remote access over Tor, just click on the checkbox. This will open the Orbot app, and then come back to the settings screen after Orbot connects to the Tor network.

Remember, you can always come back to the settings and change the values as required. Soon you will find that you will have to do that so that app can adjust to various environmental noises etc.

How to use the app?

By default the app has a 30 second timer so you can make sure that the phone is in a stable place, and then click on the START NOW button. When the timer runs out, the app will start monitoring for any noise, light, movement or vibration to trigger the alarm.

I kept trying to open the door of my office room without any noise, but the motion detector always found me entering the room. I kept the Haven activated and went to sleep in the afternoon. But, first a very loud helicopter, and then a few super bikes and finally some dogs made sure that the system triggered on noise in every other minute. So, I had to increase the noise level in the settings. Though it was fun to hear the recordings on my iPhone, which Haven sent to me over Signal.

Next time if you start the app, you will find the log entries, and you can click on the play button at the right-bottom corner to start it again. Below is a photo taken by the app while I tired to enter the office room.

Can Haven solve all of my physical security issues?

No, but it will record whatever it sees or hears. There are ways to block radio signals (to make sure that Haven can not send out any notification), but that is an expensive step for an attacker to make. You can keep the phone inside of your hotel locker to record if anyone opens up the locker or make it watch your hallway at the house. Government agencies love to see what is inside of our computers/house(s), but they don’t like get recorded while doing so.

How can I help?

Haven is an Open Source application, the source code is hosted on Github. Feel free to submit issues, write blog posts, make people aware about the application. If you can write Android code, you are most welcome to submit patches to the project. Every form of contribution counts, so don’t hesitate.

You can read more about the project in this post from Micah Lee.

  • Update 2018/01/03: Screenshot of configuration window updated for beta7 release

Setting up SecureDrop 0.5rc2 in VMs for QA

Next week we have the 0.5 release of SecureDrop. SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. It was originally created by the late Aaron Swartz and is currently managed by Freedom of the Press Foundation.

In this blog post I am going to tell you how can you set up a production instance of SecureDrop in VM(s) in your computer, and help us to test the system for the new release.

Required software

We provision our VM(s) using Vagrant. You will also need access to a GPG key (along with the private key) to test the whole workflow. The set up is done using Ansible playbooks.

Another important piece is a Tails VM for the administrator/journalist workstation. Download the latest (Tails 3.3) ISO from their website.

You will need at least 8GB RAM in your system so that you can have the 3 VM(s) required to test the full system.

Get the source code

For our test, we will first set up a SecureDrop 0.4.4 production system, and then we will update that to the 0.5rc release.

Clone the SecureDrop repository in a directory in your local computer. And then use the following commands to set up two VM(s). One of the VM is for the application server, and the other VM is the monitor server.

$ vagrant up /prod/ --no-provision

In case you don’t have the right image file for KVM, you can convert the Virtualbox image following this blog post.

Create a Tails VM

Follow this guide to create a virtualized Tails environment.

After the boot, remember to create a Persistence storage, and also setup a administrator password (you will have to provide the administrator password everytime you boot the Tails VM).

For KVM, remember to mark the drive as a removable USB storage and also mark it in the Booting Options section after the installation.

Then, you can mount the SecureDrop git repository inside the Tails VM, I used this guide for the same.

Also remember to change the Virtual Network Interface in the virt-manager to Virtual network ‘securedrop0’: NAT for the Tails VM.

Install SecureDrop 0.4.4 release in the production VM(s).

For the next part of the tutorial, I am assuming that the source code is at the ~/Persistent/securedrop directory.

Move to 0.4.4 tag

$ git checkout 0.4.4

We will also have remove a validation role from the 0.4.4 Ansible playbook, otherwise it will fail on a Tails 3.3 system.

diff --git a/install_files/ansible-base/securedrop-prod.yml b/install_files/ansible-base/securedrop-prod.yml
index 877782ff..37b27c14 100755
--- a/install_files/ansible-base/securedrop-prod.yml
+++ b/install_files/ansible-base/securedrop-prod.yml
@@ -11,8 +11,6 @@
# Don't clobber new vars file with old, just create it.
args:
creates: "{{ playbook_dir }}/group_vars/all/site-specific"
- roles:
- - { role: validate, tags: validate }
- name: Add FPF apt repository and install base packages.
hosts: securedrop

Create the configuration

In the host system make sure that you export your GPG public key to a file in the SecureDrop source directory, for my example I stored it in install_files/ansible-base/kushal.pub. I also have the exported insecure key from Vagrant. You can find that key at ~/.vagrant.d/insecure_private_key in your host system. Make sure to copy that file too in the SecureDrop source directory so that we can later access it from the Tails VM.

Inside of the Tails VM, give the following command to setup the dependencies.

$ ./securedrop-admin setup

Next, we will use the sdconfig command to create the configuration file.

$ ./securedrop-admin sdconfig

The above command will ask you many details, you can use the defaults in most cases. I am pasting my configuration file below, so that you can look at the example values I am using. The IP addresses are the default address for the production Vagrant VM(s). You should keep them the same as mine.

---
### Used by the common role ###
ssh_users: vagrant
dns_server: 8.8.8.8
daily_reboot_time: 4 # An integer between 0 and 23

# TODO Should use ansible to gather this info
monitor_ip: 10.0.1.5
monitor_hostname: mon
app_hostname: app
app_ip: 10.0.1.4

### Used by the app role ###
# The securedrop_header_image has to be in the install_files/ansible-base/ or
# the install_files/ansible-base/roles/app/files/ directory
# Leave set to empty to use the SecureDrop logo.
securedrop_header_image: ""
# The app GPG public key has to be in the install_files/ansible-base/ or
# install_files/ansible-base/roles/app/files/ directory
#
# The format of the app GPG public key can be binary or ASCII-armored,
# the extension also doesn't matter
#
# The format of the app gpg fingerprint needs to be all capital letters
# and zero spaces, e.g. "B89A29DB2128160B8E4B1B4CBADDE0C7FC9F6818"
securedrop_app_gpg_public_key: kushal.pub
securedrop_app_gpg_fingerprint: A85FF376759C994A8A1168D8D8219C8C43F6C5E1

### Used by the mon role ###
# The OSSEC alert GPG public key has to be in the install_files/ansible-base/ or
# install_files/ansible-base/roles/app/files/ directory
#
# The format of the OSSEC alert GPG public key can be binary or
# ASCII-armored, the extension also doesn't matter
#
# The format of the OSSEC alert GPG fingerprint needs to be all capital letters
# and zero spaces, e.g. "B89A29DB2128160B8E4B1B4CBADDE0C7FC9F6818"
ossec_alert_gpg_public_key: kushal.pub
ossec_gpg_fpr: A85FF376759C994A8A1168D8D8219C8C43F6C5E1
ossec_alert_email: kushaldas@gmail.com
smtp_relay: smtp.gmail.com
smtp_relay_port: 587
sasl_username: fakeuser
sasl_domain: gmail.com
sasl_password: fakepassword

### Use for backup restores ###
# If the `restore_file` variable is defined, Ansible will overwrite the state of
# the app server with the state from the restore file, which should have been
# created by a previous invocation of the "backup" role.
# To use uncomment the following line and enter the filename between the quotes.
# e.g. restore_file: "sd-backup-2015-01-15--21-03-32.tar.gz"
#restore_file: ""
securedrop_app_https_on_source_interface: False
securedrop_supported_locales: []

Starting the actual installation

Use the following two commands to start the installation.

$ ssh-add insecure_private_key
$ ./securedrop-admin install

Then wait for a while for the installation to finish.

Configure the Tails VM as a admin workstation

$ ./securedrop-admin tailsconfig

The above command expects that the previous installation step finished without any issue. The addresses for the source and journalist interfaces can be found in the install_files/ansible-base/*ths files at this moment.

After this command, you should see two desktop shortcuts on your Tails desktop, one pointing to the source interface, and one for journalist interface. Double click on the source interface and make sure that you can view the source interface and the SecureDrop version mentioned in the page is 0.4.4.

Now update the systems to the latest SecureDrop rc release

The following commands in the Tails VM will help you to update to the latest RC release.

$ source .venv/bin/activate
$ cd install_files/ansible-base
$ torify wget https://gist.githubusercontent.com/conorsch/e7556624df59b2a0f8b81f7c0c4f9b7d/raw/86535a6a254e4bd72022865612d753042711e260/securedrop-qa.yml`
$ ansible-playbook -vv --diff securedrop-qa.yml

Then we will SSH into both app and mon VM(s), and give the following the command to update to the latest RC.

$ sudo cron-apt -i -s

Note: You can use ssh app and ssh mon to connect to the systems. You can also checkout the release/0.5 branch and rerun the tailsconfig command. That will make sure the desktop shortcuts are trusted by default.

After you update both the systems, if you reopen the source interface in the Tails VM again, you should see version mentioned as a RC release.

Now, if you open up the source interface onion address in the Tor browser on your computer, you should be able to submit documents/messages.

SecureDrop hackathon at EFF office next week

On December 7th from 6PM we are having a SecureDrop hackathon at the EFF office. Please RSVP and come over to start contributing to SecureDrop.

The journey continues at Freedom of the Press Foundation

The code we write is the extension of our emotions and thinking. A few months back a twitter thread on Gnome’s account made Anwesha and me think about it once again. I think the most important reply in that thread came from Miguel de Icaza.

The contribution to Free Software happens over 2 forms, for many it helps to solve or support a personal cause. Sometimes it is something we deeply care about (actually the 2 points are not that different). That is why people come back to home from their daily jobs, and then continue contributing upstream till late night. Many jobs now also allow working on upstream Free Software projects as part of the work. The word Open Source helped to create a bridge between businesses and creators. But, we still have to keep fighting for Freedom in various levels in life, even including for the basic human rights.

More than a month back, the Supreme Court of India ruled that privacy is a fundamental right to every Indian citizen. It was a huge win for every privacy advocate, but it was one of the big battles in the whole fight for right to privacy. Even though governments are using public money to develop software infrastructure, almost none of them are Free Software. There is a current campaign happening for having publicly financed software developer for people to be Free Software. No one knows what is going on in the closed source infrastructure, and if people point out the issues, they are getting punished. If you never heard about Aadhaar project in India, feel free to visit this site to learn about how much destruction it is bringing in.

Journalists were the most common people in the movies (in our childhood days) who used to find out all bad things people in power were doing, and at the end of the movie, public used to win with help of court (and sometimes fights between the hero and villains). Things have changed a lot over the years. Now technology enables many to be in a condition to find out the wrongdoings of the state, or private companies. It is much easier to send across that information to the journalists, and we can see how those revelations are helping the world. But, technology also enables the wrong-doers to attack the whistleblowers and the journalists who publish the truth to the people.

At this point if the government can identify the whistleblower, it is too dangerous to be a whistleblower. If we want to find what the state is doing, so that, we, the people, can have control over it, we need to make whistleblowers safe. -- RMS in his talk last year.

Freedom of the Press Foundation is one such organization working to protect and defend journalism, to support journalists and whistleblowers worldwide. One of the major development from the foundation is SecureDrop project. SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. It was originally created by the late Aaron Swartz. The project also won The Award for Projects of Social Benefit from Free Software Foundation in 2016. This week I joined the Freedom of the Press Foundation as a staff member to help on the SecureDrop and other projects.

As I started writing the post with Why Free Software?, helping the journalists and whistleblowers with Free Software is vital cause I can personally relate to. In the last month, we saw at least 3 journalists killed in India, from 1992, we have the second highest deaths of the journalists due to their work. We also saw the increased death threats to the journalists in India and other parts of the world. The freedom of the press stands as a pillar of the democracy, and we will continue to protect it.