Three years of SecureDrop

I recently completed my third year working on SecureDrop at the Freedom of the Press Foundation. Time flies when you're having fun; and not coincidentally, this is the longest I've ever held the same position at a job.

In terms of numbers, by the end of 2024, I had made just slightly over 900 commits across our main code repositories (not all commits are created equal, etc.). I really enjoy working on such a narrowly scoped project that sits right in the middle of public-interest journalism and technology.

Looking back on the past year I feel like I am most proud of our behind-the-scenes-type architectural work, including:

• completing a security audit, which didn't find anything major, partly (largely?) because it's the sixth audit of SecureDrop.
• releasing 1.0.0 of the SecureDrop Workstation, which was also a major upgrade from Qubes 4.1 to 4.2 and Debian Bullseye (11) to Bookworm (12).
  • Also quietly buried in the release notes of this one is us rewriting the networking stack in Rust. We will publish a blog post about this...eventually.
• publishing the SecureDrop Protocol concept and prototype code. (Which I would like to port to Rust eventually. Can you sense a theme?)

The SecureDrop team is pretty small (7-8 people) for the, IMHO, outsized impact we have. My coworkers are wonderful, talented people who do great work and make my work better through collaboration. And I'm pretty privileged to get paid full time to work on free and open source software.

One of the areas I feel we've fallen short in is cultivating an open source community around SecureDrop. Part of it is that we don't have as much capacity to support that, but also it's hard to attract contributors when it's not obvious what the value of the work is (especially compard to my past MediaWiki work).

As a best practice, we recommend journalists don't reveal the specific mechanism that a leak came through, so the main indicator we have that SecureDrop is useful is that news organizations keep investing in using it (well, and they tell us that it's useful). But, I hope we can keep making progress in recruiting other contributors.

A noble adventure#

For the past few months I've been figuring out how we can automatically upgrade SecureDrop instances from Ubuntu 20.04 (Focal) to 24.04 (Noble). Jumping LTS versions is officially unsupported by Ubuntu but SecureDrop servers are pretty homogeneous that once we have it figured out on our test servers, it should be relatively safe to replicate.

We have a few long-running test instances that were first installed years ago with a very old version of SecureDrop and upgraded step-by-step over the years, so they've built up all the possible cruft; I had snapshots of them taken for investigation on how they differ from a fresh install today and began eliminating some of the divergences. And then we can restore the snapshots to other servers to try the upgrade against without risking breaking the actual long-running instance.

I'm pretty confident in what we've figured out so far; certainly doing an in-place upgrade is going to be far simpler for administrators instead of needing to do a fresh reinstall. In case you didn't guess, the upgrade script is being written in Rust, and we/I have a pretty solid reason for doing so.

(Sidenote: I slipped in an easter egg while working on this, I am not aware of anyone discovering it yet.)

Merch#

During our 2023 team retreat, we got sick "anti-malware malware club" t-shirts made. I wore it to a few conferences and received rave reviews, with people asking me where they could buy it from. We listened and are now selling them in the FPF store! They're union printed, 100% cotton and very cool.