Securedrop Documentation Release 0.9.0

Total Page:16

File Type:pdf, Size:1020Kb

Securedrop Documentation Release 0.9.0 SecureDrop Documentation Release 0.9.0 SecureDrop Team and Contributors Sep 05, 2018 User Guides 1 Source Guide 3 1.1 Choosing the Right Location.......................................3 1.2 Get the Tor Browser...........................................3 1.3 Choose Who to Submit To........................................4 1.4 Making Your First Submission......................................4 1.5 Continuing the Conversation....................................... 10 2 Journalist Guide 15 2.1 Updating Your Workstation....................................... 15 2.2 Creating a GPG Key........................................... 16 2.3 Connecting to the Journalist Interface .................................. 16 2.4 Daily Journalist Alerts About Submissions............................... 17 2.5 Interacting With Sources......................................... 18 2.6 Moving Documents to the Secure Viewing Station ........................... 21 2.7 Decrypting on the Secure Viewing Station ................................ 26 2.8 Working with Documents........................................ 28 2.9 Encrypting and Moving Documents to the Journalist Workstation ................... 29 2.10 Decrypting and Preparing to Publish................................... 31 3 Admin Guide 33 3.1 Responsibilities.............................................. 33 3.2 Common Tasks.............................................. 35 3.3 Frequently Asked Questions....................................... 44 4 Passphrase Best Practices 47 4.1 General Best Practices.......................................... 47 4.2 For Sources................................................ 48 4.3 For Journalists/Admins.......................................... 48 5 Overview 49 5.1 Technical Summary........................................... 49 5.2 Infrastructure............................................... 50 5.3 Operation................................................. 51 6 Terminology 53 6.1 Source.................................................. 53 6.2 Journalist................................................. 53 i 6.3 Application Server............................................ 53 6.4 Monitor Server.............................................. 54 6.5 Landing Page............................................... 54 6.6 Source Interface............................................. 54 6.7 Journalist Interface............................................ 54 6.8 Journalist Workstation.......................................... 54 6.9 Admin Workstation............................................ 54 6.10 Secure Viewing Station......................................... 54 6.11 Two-Factor Authenticator........................................ 55 6.12 Transfer Device............................................. 55 7 Passphrases 57 7.1 Admin.................................................. 57 7.2 Journalist................................................. 58 8 Hardware 59 8.1 Hardware Overview........................................... 59 8.2 Required Hardware............................................ 59 8.3 Optional Hardware............................................ 62 8.4 Specific Hardware Recommendations.................................. 63 9 Before You Begin 69 10 Create Tails USBs 71 10.1 Install Tails................................................ 71 10.2 Enable Persistent Storage........................................ 72 11 Set Up the Secure Viewing Station 73 11.1 Ensure Filenames are Preserved..................................... 73 11.2 Correct the System Time......................................... 74 12 Set Up the Transfer Device 77 12.1 Select DVDs or USBs.......................................... 77 12.2 USB Transfer Device Configuration................................... 77 13 Generate the SecureDrop Submission Key 83 13.1 Create the Key.............................................. 83 13.2 Export the Public Key.......................................... 86 14 Set up the Admin Workstation 91 14.1 Start Tails with Persistence Enabled................................... 91 14.2 Download the SecureDrop repository.................................. 91 14.3 Create the Admin Passphrase Database................................. 93 15 Set Up the Network Firewall 95 15.1 Before You Begin............................................ 95 15.2 Initial Configuration........................................... 97 15.3 Disable DHCP on the LAN....................................... 106 15.4 SecureDrop Configuration........................................ 112 15.5 Tips for Setting Up pfSense Firewall Rules............................... 129 15.6 Keeping pfSense up to Date....................................... 129 15.7 Abstract Firewall Rules......................................... 133 16 Set Up the Servers 135 16.1 Install Ubuntu.............................................. 135 16.2 Test Connectivity............................................. 140 ii 16.3 Set Up SSH Keys............................................. 140 17 Install SecureDrop 141 17.1 Install Prerequisites........................................... 141 17.2 Localization of the Source Interface and Journalist Interface ...................... 142 17.3 Configure the Installation........................................ 142 17.4 Install SecureDrop Servers........................................ 143 18 Configure the Admin Workstation Post-Install 145 18.1 Auto-connect to the Authenticated Tor Hidden Services........................ 145 19 Create an Admin Account on the Journalist Interface 147 20 Test the Installation 149 20.1 Test Connectivity............................................. 149 20.2 Sanity-Check the Installation...................................... 149 20.3 Test the Web Interfaces.......................................... 150 21 Onboard Journalists 151 21.1 Determine Access Protocol for the Secure Viewing Station ....................... 151 21.2 Create a Journalist Tails USB...................................... 152 21.3 Set Up Automatic Access to the Journalist Interface .......................... 152 21.4 Add an account on the Journalist Interface ............................... 153 21.5 Verify Journalist Setup.......................................... 153 22 Overview 155 23 Landing Page 157 23.1 URL and Location............................................ 157 23.2 HTTPS Only (No Mixed Content).................................... 157 23.3 Perfect Forward Secrecy......................................... 158 23.4 SSL Certificate Recommendations.................................... 158 23.5 Do Not Use Third-Party Analytics, Tracking, or Advertising...................... 158 23.6 Do Not Hyperlink .onion Addresses................................... 159 23.7 Avoid Direct Links to SecureDrop.org.................................. 159 23.8 Apply Security Headers......................................... 159 23.9 Additional Apache Configuration.................................... 160 23.10 Further Security Considerations..................................... 161 23.11 Landing Page Content Suggestions................................... 161 24 Minimum requirements for the SecureDrop environment 163 25 Whole Site Changes 165 25.1 Suggested................................................. 165 26 Sample SecureDrop Privacy Policy 167 26.1 Collection of Information From Sources................................. 167 26.2 Collection of Information About Journalists’ Use of SecureDrop.................... 168 26.3 Data Security............................................... 168 26.4 Children Under 13............................................ 168 26.5 Changes to This Policy.......................................... 168 26.6 Contact.................................................. 168 27 Pre-Install Hardware Checklist 169 iii 28 Promoting Your SecureDrop Instance 171 28.1 Make a High Profile Announcement................................... 171 28.2 Provide a Clear Link on Your Homepage................................ 171 28.3 Provide Links at the Bottom of Your Articles.............................. 173 28.4 Create an Instructional Video on How to Access and Use Your SecureDrop.............. 173 28.5 Regularly Share Your SecureDrop Landing Page on Social Media................... 173 28.6 Target Potential Whistleblowers with Advertising............................ 174 28.7 Put an Advertisement in Your Physical Paper.............................. 174 29 What Makes SecureDrop Unique 177 29.1 No Third Parties that Can Secretly be Subpoenaed........................... 177 29.2 Limits the Metadata Trail as Much as Possible............................. 177 29.3 Encrypted and Air-Gapped........................................ 178 29.4 Protects Against Hackers......................................... 178 29.5 Free and Open Source Software..................................... 178 30 Useful Logs 179 30.1 Both servers............................................... 179 30.2 Application Server ............................................ 179 30.3 Monitor Server .............................................. 179 31 OSSEC Guide 181 31.1 Setting Up OSSEC Alerts........................................ 181 31.2 Troubleshooting............................................. 184 31.3 Analyzing the Alerts........................................... 188 32 Tails Guide 189 32.1 Installing Tails on USB Sticks...................................... 189 32.2 Configure Tails for Use with SecureDrop................................ 190 33 Setting Up a Printer in Tails
Recommended publications
  • Ubuntu Server Guide Basic Installation Preparing to Install
    Ubuntu Server Guide Welcome to the Ubuntu Server Guide! This site includes information on using Ubuntu Server for the latest LTS release, Ubuntu 20.04 LTS (Focal Fossa). For an offline version as well as versions for previous releases see below. Improving the Documentation If you find any errors or have suggestions for improvements to pages, please use the link at thebottomof each topic titled: “Help improve this document in the forum.” This link will take you to the Server Discourse forum for the specific page you are viewing. There you can share your comments or let us know aboutbugs with any page. PDFs and Previous Releases Below are links to the previous Ubuntu Server release server guides as well as an offline copy of the current version of this site: Ubuntu 20.04 LTS (Focal Fossa): PDF Ubuntu 18.04 LTS (Bionic Beaver): Web and PDF Ubuntu 16.04 LTS (Xenial Xerus): Web and PDF Support There are a couple of different ways that the Ubuntu Server edition is supported: commercial support and community support. The main commercial support (and development funding) is available from Canonical, Ltd. They supply reasonably- priced support contracts on a per desktop or per-server basis. For more information see the Ubuntu Advantage page. Community support is also provided by dedicated individuals and companies that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions.
    [Show full text]
  • Pipenightdreams Osgcal-Doc Mumudvb Mpg123-Alsa Tbb
    pipenightdreams osgcal-doc mumudvb mpg123-alsa tbb-examples libgammu4-dbg gcc-4.1-doc snort-rules-default davical cutmp3 libevolution5.0-cil aspell-am python-gobject-doc openoffice.org-l10n-mn libc6-xen xserver-xorg trophy-data t38modem pioneers-console libnb-platform10-java libgtkglext1-ruby libboost-wave1.39-dev drgenius bfbtester libchromexvmcpro1 isdnutils-xtools ubuntuone-client openoffice.org2-math openoffice.org-l10n-lt lsb-cxx-ia32 kdeartwork-emoticons-kde4 wmpuzzle trafshow python-plplot lx-gdb link-monitor-applet libscm-dev liblog-agent-logger-perl libccrtp-doc libclass-throwable-perl kde-i18n-csb jack-jconv hamradio-menus coinor-libvol-doc msx-emulator bitbake nabi language-pack-gnome-zh libpaperg popularity-contest xracer-tools xfont-nexus opendrim-lmp-baseserver libvorbisfile-ruby liblinebreak-doc libgfcui-2.0-0c2a-dbg libblacs-mpi-dev dict-freedict-spa-eng blender-ogrexml aspell-da x11-apps openoffice.org-l10n-lv openoffice.org-l10n-nl pnmtopng libodbcinstq1 libhsqldb-java-doc libmono-addins-gui0.2-cil sg3-utils linux-backports-modules-alsa-2.6.31-19-generic yorick-yeti-gsl python-pymssql plasma-widget-cpuload mcpp gpsim-lcd cl-csv libhtml-clean-perl asterisk-dbg apt-dater-dbg libgnome-mag1-dev language-pack-gnome-yo python-crypto svn-autoreleasedeb sugar-terminal-activity mii-diag maria-doc libplexus-component-api-java-doc libhugs-hgl-bundled libchipcard-libgwenhywfar47-plugins libghc6-random-dev freefem3d ezmlm cakephp-scripts aspell-ar ara-byte not+sparc openoffice.org-l10n-nn linux-backports-modules-karmic-generic-pae
    [Show full text]
  • Linux E-Mail Set Up, Maintain, and Secure a Small Office E-Mail Server
    Linux E-mail Set up, maintain, and secure a small office e-mail server Ian Haycox Alistair McDonald Magnus Bäck Ralf Hildebrandt Patrick Ben Koetter David Rusenko Carl Taylor BIRMINGHAM - MUMBAI This material is copyright and is licensed for the sole use by Jillian Fraser on 20th November 2009 111 Sutter Street, Suite 1800, San Francisco, , 94104 Linux E-mail Set up, maintain, and secure a small office e-mail server Copyright © 2009 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: June 2005 Second edition: November 2009 Production Reference: 1051109 Published by Packt Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA, UK. ISBN 978-1-847198-64-8 www.packtpub.com
    [Show full text]
  • Email Communication
    EMAIL COMMUNICATION Manish Kumar Arya OUTLINE Background Mail system components Manish Kumar Arya [email protected] Arya Kumar Manish Standards Mail communication decoded Decoding mail header Access your emails Security extensions Relevance of email communication Open source email software Further links Q&A 2 BACKGROUND Electronic mail is there since early 90s in public domain Manish Kumar Arya [email protected] Arya Kumar Manish Email is digital exchange of messages over internet/intranet Email RFCs for message transport (SMTP) and access (POP3, IMAP) were introduced in 80s 3 EMAIL SYSTEM COMPONENTS Mail User Agent (thunderbird, webmail, outlook) [email protected] Arya Kumar Manish Mail Transfer Agent (qmail, postfix, sendmail) Mail Delivery Agent (procmail, maildrop, bin/mail) 4 FLOW DIAGRAM Manish Kumar Arya [email protected] Arya Kumar Manish MUA MTA MDA Mailbox Mailbox access via POP3 or IMAP MUA Outlook/ Postfix Procmail/ Maildir/ Webmail /qmail mail Mailbox 5 STANDARDS AND TERMS … Manish Kumar Arya [email protected] Arya Kumar Manish SPAM MX Backup 110 6 SENDING A RAW EMAIL, HOW SMTP WORKS telnet smtp1.xxx.xxx.xxx 25 Trying 10.5.2.11... Connected to smtp1.xxx.xxx.xxx. Escape character is '^]'. [email protected] Arya Kumar Manish 220 **************************************** helo domain 250 smtp1.xxx.xxx.xxx. mail from: [email protected] 250 Ok rcpt to:[email protected] 250 Ok data 354 End data with <CR><LF>.<CR><LF> Hello test message from [email protected] to [email protected] . 250 Ok: queued as 5C3F0362E8 quit 221 Bye Connection to smtp1.xxx.xxx.xxx. closed by foreign host. 7 WHAT IS HAPPENING
    [Show full text]
  • Administrivia Mail on UNIX Systems — Traditional Approach
    CSCI 3215 November 16, 2020 Administrivia • Reminder: Homework due Wednesday. • Is that it on homework? Almost — one more homework, a bit later, asking you to reflect on the course. • Anything else? Syllabus mentions a project. I think we still have time for a Slide 1 scaled-down version. Details soon. • Minute-essay responses have been great! I haven’t made time to reply but I’ve enjoyed reading them. • Current (as of about 5pm Monday) attendance report uploaded. If you’re not sure whether you’ve sent me all the minute essays ... Mail on UNIX Systems — Traditional Approach • (Reasonably good ASCII-art picture in rather old HOWTO for administrators, recommended as reading for today.) • MTA (“mail transport agent”) communicates with the outside world to send/receive mail, using SMTP (Simple Mail Transfer Protocol). Several choices; typically choose one when installing/configuring. Traditional one is Slide 2 sendmail; very powerful, but not easy to configure. Losing ground on desktop-oriented Linux distributions to alternatives such as postfix. • MDA (“mail delivery agent”) delivers mail locally, often to “mail spool”. One choice is procmail, which allows various forms of filtering. • MUA (“mail user agent”) is what users interact with directly. Many choices (more shortly). • Mechanisms for running “batch” jobs (including at and cron) often mail output to owning user. 1 CSCI 3215 November 16, 2020 Mail on UNIX (and Other) Systems — More-Current Approach • MUA communicates directly with mail server (probably not local), using IMAP, POP3, etc. Mail stays on server. Requires that mail server be running something that provides IMAP/POP3/etc.
    [Show full text]
  • Course 4 Lesson 2: Mail
    This material is based on work supported by the National Science Foundation under Grant No. 0802551 Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the National Science Foundation C4L2S1 In today’s fast paced world of communications, one of the most used networking services besides web searches is email. In this lesson, we will explore mail services U the available on Linux, and then setup email services on a Fedora machine. C4L2S2 You should know what will be expected of you when you complete this lesson. These expectations are presented as objectives. Objectives are short statements of expectations that tell you what you must be able to do, perform, learn, or adjust after reviewing the lesson. U the Lesson Objective: Given a Linux server, the student will be able to determine the correct mail system to install, and install and configure a mail server capable of sending and receiving emails correctly. C4L2S3 In this lesson, you will explore: Email System Overview Introduction to Postfix Configuring Email Server Testing Email Server C4L2S4 This lesson uses Fedora Linux for demonstration. To complete this lesson successfully, you must have access to: Resources: Fedora Linux on bare metal or as a virtual install • Download Virtualbox 10 Gb of hard drive space dedicated to the • Virtualbox for Linux Hosts operating system’s use • Install Fedora to Virtualbox A command shell • Virtualbox manual Internet for research • Using Virtualbox with Ubuntu Word processor (process similar to Fedora) Use the resources on the right to configure your system for Fedora.
    [Show full text]
  • A Sane Mail System Or: Fetchmail, Procmail, Courier-IMAP-SSL, Maildir, Exim and Spamassassin
    A Sane Mail System Or: fetchmail, procmail, Courier-IMAP-SSL, Maildir, exim and SpamAssassin ©2003 Stewart Smith Linux Australia Vice President http://www.linux.org.au http://www.flamingspork.com 1 Why? • Ever increasing amounts of email • Needs to be sorted or we go insane • Ever increasing amounts of SPAM • Needs to be filtered or we go insane • Needs to be efficient or we go insane! 2 Fetchmail • It’s job is to fetch mail from POP or IMAP servers • You only need to use it if you do not receive mail directly (i.e. people send mail to [email protected]) 3 What you need to know • The server you get mail from (e.g. mail.myisp.com.au) • Your username (e.g. fred) • Your password (e.g. azy68fie) • The type of server you’re connecting to (It’s probably POP3) 4 ~/.fetchmailrc • This is where you store your fetchmail configuration • Must have permissions of 0600 (u=rw,g=,o=) (think chmod 600 .fetchmailrc) • The man page is useful 5 Example .fetchmailrc set daemon 660 poll mail.myisp.com.au protocol pop3 user fred password azy68fie fetchall The ‘set daemon 660’ line tells fetchmail to check for mail every 660 seconds 6 Where does fetched mail go? • As each message is retrieved fetchmail normally delivers it via SMTP to port 25 on the machine it is running on (localhost), just as though it were being passed in over a normal TCP/IP link. The mail will then be delivered locally via your system's MDA (Mail Delivery Agent, usually sendmail(8) but your system may use a different one such as smail, mmdf, exim, or qmail).
    [Show full text]
  • How Qmail Works
    APPENDIX A How qmail Works You DON'T NEED TO UNDERSTAND how qmail works to install or use qmail. And you don't have to be an auto mechanic to operate a car or a watchmaker to tell time. Eut if you really want to master qmail, knowing exactly how it does what it does is crucial. Luckily, qmail's simple, modular design makes understanding how it works easy for a system as complex as a Mail Transfer Agent (MTA). This appendix takes a top-down approach: first looking at how the modules interact with each other, then looking at how each module does its job. High-Level Overview The grand division in qmail is between the modules that accept new messages and place them into the queue and the modules that deliver them from the queue. We'll call these functions receivingand sending. The separation between receiving and sending is complete: Either of these functions can be fully oper­ ational while the other is shut down. Figure A-l shows the high-level organization of qmail. Incoming Receiving Queue Sending Delivered Messages Messages Figure A -1. High-level qmail organization Receiving Messages enter the queue through two main routes: local injection using qmail-inject or sendmail and network injection using qmail-smtpd, qmail-qmtpd 417 AppendixA or qmail-qmqpd. Both ofthese routes use qmail-queue to actually inject their mes­ sages into the queue. Figure A-2 shows the organization ofthe receiving function. QMQP tcpserver QMTP tcpserver SMTP tcpserver Queue Local------------­ MUA Figure A-2. The receivingfunction Sending Messages are delivered from the queue through two main routes: local delivery using qma il-loca 1 and remote delivery using qma il-remote.
    [Show full text]
  • Virtual Mailserver HOWTO Dave Dribin [email protected]
    Virtual Mailserver HOWTO Dave Dribin [email protected] Keith Garner [email protected] This guide describes how to set up a mail server that supports multiple domains with virtual and local users using Postfix, OpenLDAP, Courier-IMAP, and Jamm. It also covers many design decisions behind the technology and implementation choices. Table of Contents 1. Introduction...............................................................................................................................................................3 1.1. Why write this document?..............................................................................................................................3 2. Requirements.............................................................................................................................................................3 3. System Architecture..................................................................................................................................................3 3.1. Software Selection..........................................................................................................................................4 3.2. The Big Picture...............................................................................................................................................5 3.3. Mailbox Location ...........................................................................................................................................6 4. Implementation .........................................................................................................................................................6
    [Show full text]
  • Configuring Sendmail to Use Maildir Format, Using Procmail
    Playing with Sendmail in Fedora Created by Mark Dickinson, March 2009 Table of Contents Introduction..........................................................................................................................................2 Disclaimer.............................................................................................................................................2 Important: The environment discussed.................................................................................................4 Configuring Sendmail to use Maildir format, using Procmail.............................................................5 Configuring Sendmail to use Procmail............................................................................................5 Changes to the the unix command line mutt mail client configuration...........................................7 Configuring Sendmail to allow mail forwarding..................................................................................8 Changes needed in /etc/hosts on all servers for this to work...........................................................8 Reconfigure Sendmail to listen on the internal network on all servers.........................................10 Change the Sendmail Cw entry.....................................................................................................10 Changes on the mail destination server needed for local relaying.................................................11 Testing the changes........................................................................................................................11
    [Show full text]
  • Mini-HOWTO Install Qmail with MH
    mini−HOWTO install qmail with MH mini−HOWTO install qmail with MH Table of Contents mini−HOWTO install qmail with MH..............................................................................................................1 Christopher Richardson ([email protected]).......................................................................................1 1. Introduction..........................................................................................................................................1 2. My System Details...............................................................................................................................1 3. Qmail Installation................................................................................................................................1 4. MH Installation....................................................................................................................................1 5. Fetchmail.............................................................................................................................................1 6. Exmh....................................................................................................................................................1 7. Procmail...............................................................................................................................................1 8. ISDN....................................................................................................................................................1
    [Show full text]
  • President's Corner
    TAPR PSR #138 Spring 2018 President’s Corner By Steve Bible, N7HPR Hamvention is nearly here and TAPR will be present in full-force! The biggest ham radio convention of the year runs from May 18 to May 20 at the Greene County Fairgounds in Xenia, Ohio and TAPR has plans to fill your Hamvention weekend. TAPR Booths TAPR’s booths will be in Building 5 (booths 5009 through 5011) where we will show what we have been up to lately. You can visit our booths 9 AM to 6 PM on Friday, 9 AM to 5 PM on Saturday and 9 AM to 1 PM on Sunday. TAPR Forum Friday at 9:15 AM, Scotty Cowling, WA2DFI, will moderate the TAPR Forum in Greene County President’s Corner 01 Fairgounds Forum Room 1. This years’ speakers include: Hamvention TAPR Forum in Detail 03 DCC Call for Papers 05 • My “Introduction” TAPR at HamSCI Workshop 06 • Stana Horzepa, WA1LOU, PSR Editor, on “The World According to PSR” WSPR Without Tears 07 • Steve Ford, WB8IMY, QST Editor, on “Write for QST/QEX” TAPR Wear Available 08 • Adam Farson, VA7OJ/AB4OJ, on “SDR vs Legacy Radio” In the Works 09 AxMail-FAX 11 • John Ackerman, N8UR, on “Collecting Solar Eclipse Data Using SDR, plus a Low Noise Power Down, DX Up 21 VHF/UHF Synthesizer” Donate to TAPR 21 • Nathaniel Frissell, W2NAF, on “What is HamSCI” Write Here! 22 For the full description of the Forum, see “Hamvention TAPR Forum in Detail” on page 3. On the Net 22 The Fine Print 23 TAPR/AMSAT Dinner Our Membership App 24 The 12th annual TAPR/AMSAT dinner takes place on Friday evening at the Kohler Presidential Banquet Center, 4572 Presidential Way, Kettering, OH 45429.
    [Show full text]