This is a GitHub Project. It is Open Source Based. As many within the Industry have begun to contact us with information and concerns about transmitting such, we will be implementing this Model over the Holidays.
DeadDrop Threat Model
Application Name and Description
DeadDrop is meant to let sources communicate with journalists with greater anonymity and security than afforded by conventional e-mail.
- Design an application that provides a source a way to securely upload documents and messages to a journalist that protects the source's anonymity.
- Design an environment to host the application that protects the source's anonymity.
- The application should allow for the source to return to the site and check for replies from the journalist.
- The application and environment should be designed so only the selected journalists can decrypt the source's encrypted documents and files.
- The application and environment should be designed so only the intended source can view the journalist's clear text replies.
- The source's authentication mechanism, while being secure, should be easy for the source to remember without writing down.
- The application and environment should use well known and industry accepted cryptography and security practices.
- The environment should be monitored for possible security events though identifiable information about the source should be excluded from all logs in the environment.
- The application and environment should be designed to protect the encrypted files even in the event of a full system compromise or seizure.
- A Tor hidden service is configured for the application. It is highly recommended for the source to use Tor to submit messages, documents and check for replies. Please consult this link for more information on Tor and Tor hidden services https://www.torproject.org/docs/hidden-services.html.en
- Only the two selected journalists have physical access to the application's GPG private key and know the key's passphrase used to decrypt source files. These steps were taken to provide reasonable assurance that only the two selected journalists could decrypt the files after they were encrypted in the application.
- The network firewall only detects the tor traffic not information about the source.
- Apache access logs are not kept.
- The source's clear text code name is not stored to disk in the application or known to the site administrators and journalists.
- The source's uploaded messages and documents are encrypted before being stored to disk.
- The secure viewing station is where the application's GPG private keys decrypts the source's submitted information and is 1) never connected to a network, 2) booted from a LiveCD, 3) the hard drive is removed, 4) physically located in a secured corporate facility.
- Journalist's reply messages to sources are encrypted with a GPG keypair unique to the source.
- Journalist's replies are encrypted with a gpg passphrase that is only known to the source and never stored in clear text in the application.
- The source is urged to delete replies after reading them. The application uses secure-remove to delete the file and it is not reasonably forensically recoverable.
-
To read the article Subscribe today!
