Over the past month, Freedom of the Press Foundation has received significant interest in newsrooms setting up SecureDrop. Our open source whistleblower submission system is already used around the globe by large media organizations, small nonprofit newsrooms, and everything in between. We’re excited to see more adoption of SecureDrop.
To help newsrooms better understand both what makes SecureDrop special, as well as what it takes to operate it, we’ve published a guide highlighting five things to know; check out the full post on the SecureDrop blog.
When we walked in, they had a sign for their New Year special: a camellia ruby pomelo tea. I'm a big fan of pomelo, or પપનસ in Gujarati, since we regularly ate it as kids. If you haven't tried it before, it's similar to a grapefruit, but better. And as I just learned, pomelo is also part of Lunar New Year celebrations. Here's the entire tea description on the menu:
Red pomelo is more than a fruit, it's a celebration of the New Year. Its vibrant red symbolizes abundance and togetherness, while its bright, tangy sweetness bursts with freshness. Subtle notes of camellia and osmanthus add elegance, blending festive joy with the warmth of home. Fresh yet unique, it redefines the pomelo experience.
A vibrant and citrusy drink featuring freshly brewed Taiwan camellia oolong tea, juicy seasonal Florida ruby pomelo, and a handcrafted natural plant-based osmanthus jelly. Hand-peeled pomelo segments add a delightful burst of freshness to this floral and aromatic blend.
As I've mentioned before, I much prefer milk teas, but since this was a special, limited edition drink I was willing to give it a try. And, it paid off.
Boba: 4/4 perfect chewiness and sweetness. The jelly was a nice complementary texture in between the boba and the pomelo pieces.
Tea: 4/4 it tasted exactly like the description: pomelo juice with subtle amounts of oolong tea. I've not enjoyed lemon teas in the past, so I was genuinely surprised at how much I liked this.
Bonus: 1/1 it was not well advertised, but they do have a privacy-friendly stamp card! It took a minute for one of the workers to find the cards when I asked, so probably not enough people take them up on it.
Total: 9/10. We have our first complete score! It is incredibly well deserved, it sounds cheesy but for a few hours after I finished the tea I was telling my girlfriend, Kajol, that I couldn't stop thinking about the tea and wanted more. Speaking of Kajol, she ordered a "BOBO milk tea" (brown sugar boba) with light ice. By default it came with lactose-free milk.
Boba: 4/4 good amount of QQ, good flavor
Tea: 4/4 tea flavor is good, perfect amount for her (not too strong, not too mild, not too sweet)
Bonus: 1/1 the place is aesthetic and it was nice that they had different lactose free milk options. We had to order on a self-checkout kiosk, but there are interesting and different options from other places. The container was cute but she wished it was bigger.
Before we total up the score, we need to discuss what happened with the boba cups:
Biggest regret: not taking a better picture of the teas right after we bought them.
There was a minor accident and my tea cup was dropped right as we entered my apartment. The bottom cracked so I dumped the tea into the closest jar to me, salvaging nearly all of it. On the other hand, Kajol's tea came in quite a robust plastic mason jar that didn't break. It definitely is small compared to what you normally get at other boba shops.
Back to the total score: 9/10, another complete score!
As I had explained when I first laid out the rating system, the tenth and final point is for consistency. After earning a 9/10, I'll go back and if keeps up the same level of quality, then the score will be increased to a perfect 10/10.
tl;dr: A new browser extension allows you to automatically export Claude transcripts to Markdown. You can install it for Firefox.
Claude is the primary LLM I use these days, but they don't have a builtin way to share your sessions, which I find pretty useful to learn from. Simon Willison had previously posted a notebook with code to convert a JSON response to a nicely formatted Markdown transcript. But the process was pretty cumbersome, you need to open up the network console, find a specific request, and then copy the JSON out of it. But on a technical level, that should be pretty straightforward to automate...right?
I asked Claude, of course, and it created a WebExtension that automatically grabbed the specific JSON response necessary, and displays it to the user. I plugged in Simon's code to turn it into markdown, and huzzah!
When you reload the tab with Claude in it, or select a different conversation, their frontend will send a request with the full JSON contents, which the extension intercepts and stores for display in the popup. It doesn't (yet) support live updating as you send new messages or replies come in.
As a bonus, I had Claude add functionality to upload the transcript as a GitHub Gist. So you can see the full transcript of the conversation used to create the extension, uploaded by itself.
This is not a super novel idea, there are other extensions in the Firefox and Chrome stores that puport to have similar functionality, but I didn't immediately find any open source ones. I also wanted to refresh my knowledge on WebExtensions; it's been seven years since I last created one.
Overall I'd estimate Claude turned something that would've taken me ~5 hours to do from scratch into a 1-2 hour project, and even then most of that time was spent manually testing and verifying the functionality versus actually writing code. The original version was not perfect, I had to make some changes like adding a content-security-policy and removing extraneous permissions. Unsurprisingly it used manifest_version 2 instead of the newer v3, even though all the code it created was compatible with the v3 requirements.
I hope this is useful for others, you can install it in Firefox and browse the source code. In theory it should be compatible with other browsers, but I haven't tested it; the .zip bundle with the extension is uploaded as a release.
As part of Boba Quest 2025 🧋, I'm trying and reviewing a new boba shop each week.
The first month of Boba Quest is in the history books and it has been way more fun than I anticipated. The only thing better than trying new boba is trying new boba and then talking about it with your friends.
Really the only part I didn't do a good job on was geographic variety; all the places I reviewed were in Queens, off the 7 train. I promised that this week I would venture out, and venture out we did!
This week we tried AKIHI Bubble Tea, all the way in Newark, New Jersey.
Yes, you read that right, New Jersey. Boba Quest has officially crossed state lines into the Garden State.
This was another group review, with my sister, Rayna, and my girlfriend, Kajol. I am starting to appreciate group reviews more because you can gain a better impression of a boba shop by trying multiple drinks.
Before we get to the drinks, we need to talk about the ordering process. AKIHI had a touchscreen that you could order from, but it was organized pretty confusingly. The categories were "Popular", "Limited time", "First time here", "I know this place", and so on, instead of the usual categories like milk teas, fruit teas, slushes, etc.
Once you conquer the confusing menu and order, they have a nice seating platform that isn't blurry in real life (my bad).
Our other critique was that there were no "plain" fruit teas, they were already mixed. For example, there was a pineapple-mango tea, but no tea with solely mango.
It wasn't all bad; one major positive was that lactaid and other non-dairy milk options were available at no extra cost.
Okay, let's get to the drinks!
I ordered a jasmine milk tea with boba, 100% sweetness, and less ice.
Boba: 3/4 good chewiness but could've been a tad bit sweeter.
Tea: 2/4 not sweet enough, otherwise decent.
Bonus: 1/1 I was happy because of no extra cost for non-dairy options and the ambiance is nice to sit and work; but the menu was confusing.
Total: 6/10: Overall it was decent, but I would want to try out other places around Rutgers before coming back here.
Kajol ordered a brown sugar brulee with boba, 100% sweetness, and less ice.
Kajol's far more asthetic picture of her boba.
Boba: 4/4 it's chewy, it's QQ!
Tea: 3/4 it's good, but quite sweet.
Bonus: 1/1 I liked the ambiance and the vibes. And liked the cups.
Total: 8/10.
Rayna ordered a bubble milk tea, 70% sweetness, less ice, and lactaid milk.
Boba: 4/4 I liked how chewy it is
Tea: 2/4 I wanted it to be more flavorful :(
Bonus: 1/1 I don't like how the menu is organized, but they can have the point for having both lactaid and dairy-free options.
Total: 7/10.
I (Kunal) tried all three drinks and need to say that their sweetness levels were entirely out of sync. Kajol and I both asked for 100% sweetness, but hers was significantly more sweeter than mine. And the supposed 30% difference between mine and my sister's drink felt closer to 50%. Certainly this is a good argument for continuing with group reviews and ordering multiple drinks.
No idea where the next review will take place, but I'll try to keep it within the New York City limits this week :-)
Editor's note: the following is a guest post from my sister, Rayna, about the "Cannoli Crawl" we did this past weekend. —Kunal
My friends are often surprised to find out that cannoli are one of my favorite desserts. In their defense, I talk about ice cream far more frequently. Still, I'm always on the lookout for cannoli when eating at Italian resturants and am often left disappointed. I had some fantastic cannoli in Philadelphia last November, so it was fresh on my mind when planning out this weekend's visit to New York City.
I spent the last week searching different Reddit threads and food blogs to compile a list of the most-loved cannoli in the city. I was naively expecting most of them to be in Little Italy, but the recommendations included one place in The Bronx and a few deep in Brooklyn. We only made it to four of the places on the list, which means there are still more places to visit next time.
The rating system is not as detailed as Kunal's Boba Quest but we did our best to detail our likes and dislikes. Along for the journey were Kunal's girlfriend, Kajol, and her sister, Mannat. Unfortunately, while all of the places we tried had nut-free cannoli options, they wouldn't guarantee that they were nut-allergy safe because of possible cross-contamination. As a result, it's mostly thoughts from myself, Kunal, and Mannat.
Our first stop: La Bella Ferrara in Little Italy, which had a good selection of mini- and regular-sized cannoli. Flavors included tiramisu, cookies and cream, red velvet, and more, but we started with the original to keep it simple.
Rayna: 8/10 I liked the sweetness of the filling and the variety of the options available. I appreciated that the chocolate chips were spread throughout the filling, but wanted more of them.
Kunal: 8/10 My biggest complaint was that the shell fell apart in my hands as soon as I took a bite.
Mannat: 9/10 My first-ever cannoli, I was very happy with the new dessert. I also wanted more chocolate chips.
Overall, a really promising start to the Cannoli Crawl!
Rayna, hazelnut flavor: 5.5/10 The hazelnut flavor was good, but the pastry shell was unimpressive. There were also not enough chocolate chips, but they get half a point back because the cannoli were served with powdered sugar. Kunal is unhappy I am awarding half points, but it's my blog post so I make the rules.
Kunal, original: 6/10 The flavor was eh and the shell broke while eating.
Mannat, cookies and cream: 6/10 It just tasted like cream with crushed cookies on the outside — the flavor wasn't consistent. The shell also wasn't good, but the powdered sugar was nice.
Overall, we were unimpressed. :(
Around the corner was our third stop: Ferrara Bakery and Cafe, where they only had regular and chocolate dipped shells, so we all chose the former. Kajol took a bite of this one, so her review is included too.
Rayna: 8/10 I liked the cream and the pastry shell, but this one was severely lacking in chocolate chips — I think I got four in my entire cannoli. They also only had one size, unlike the previous two places which had mini and regular options.
Kunal: 7/10 This was the best cream so far but the shell broke apart too fast.
Mannat: 7/10 Agreed that this was the best cream so far but I wasn't a fan of the shell — it was too crumbly and needed more flavor. It also needed more chocolate chips.
Kajol: 9/10 The cream and shell were both pretty good but they lose a point for not having enough chocolate chips.
For our last stop, we went to Pasticceria Rocco in the West Village. These were the only cannoli to be filled fresh, the effect of which is easily apparent in our ratings 😅. With only one size available, they had two options for the ends: dipped in chocolate chips or crushed pistachios. We all opted for chocolate chips.
Rayna: 10/10 The flavor was fantastic, along with the amount of chocolate chips on the ends. The shell was also the right texture and didn't fall apart. It would have been nice if the chocolate chips went throughout but the fresh filling was the star and made up for any shortcomings.
Kunal: 9/10 This was easily the best of the day; the cream was fresh and the shell didn't instantly fall apart in my hands.
Mannat: 10/10 This was great but I still liked the first one best.
At this point we were out of time and also cold, so we passed on the original plan of also visiting two spots in Brooklyn and one in Astoria — we'll save those for next time.
All in all, the Cannoli Crawl was a success. Pasticceria Rocco is our clear favorite, while Caffe Palermo was the biggest letdown. I am extremely content with how we spent our afternoon and my cannoli craving has been satisfied, for now.
I recently completed my third year working on SecureDrop at the Freedom of the Press Foundation. Time flies when you're having fun; and not coincidentally, this is the longest I've ever held the same position at a job.
In terms of numbers, by the end of 2024, I had made just slightly over 900 commits across our main code repositories (not all commits are created equal, etc.). I really enjoy working on such a narrowly scoped project that sits right in the middle of public-interest journalism and technology.
Looking back on the past year I feel like I am most proud of our behind-the-scenes-type architectural work, including:
completing a security audit, which didn't find anything major, partly (largely?) because it's the sixth audit of SecureDrop.
Also quietly buried in the release notes of this one is us rewriting the networking stack in Rust. We will publish a blog post about this...eventually.
The SecureDrop team is pretty small (7-8 people) for the, IMHO, outsized impact we have. My coworkers are wonderful, talented people who do great work and make my work better through collaboration. And I'm pretty privileged to get paid full time to work on free and open source software.
One of the areas I feel we've fallen short in is cultivating an open source community around SecureDrop. Part of it is that we don't have as much capacity to support that, but also it's hard to attract contributors when it's not obvious what the value of the work is (especially compard to my past MediaWiki work).
As a best practice, we recommend journalists don't reveal the specific mechanism that a leak came through, so the main indicator we have that SecureDrop is useful is that news organizations keep investing in using it (well, and they tell us that it's useful). But, I hope we can keep making progress in recruiting other contributors.
For the past few months I've been figuring out how we can automatically upgrade SecureDrop instances from Ubuntu 20.04 (Focal) to 24.04 (Noble). Jumping LTS versions is officially unsupported by Ubuntu but SecureDrop servers are pretty homogeneous that once we have it figured out on our test servers, it should be relatively safe to replicate.
We have a few long-running test instances that were first installed years ago with a very old version of SecureDrop and upgraded step-by-step over the years, so they've built up all the possible cruft; I had snapshots of them taken for investigation on how they differ from a fresh install today and began eliminating some of the divergences. And then we can restore the snapshots to other servers to try the upgrade against without risking breaking the actual long-running instance.
I'm pretty confident in what we've figured out so far; certainly doing an in-place upgrade is going to be far simpler for administrators instead of needing to do a fresh reinstall. In case you didn't guess, the upgrade script is being written in Rust, and we/I have a pretty solid reason for doing so.
(Sidenote: I slipped in an easter egg while working on this, I am not aware of anyone discovering it yet.)
During our 2023 team retreat, we got sick "anti-malware malware club" t-shirts made. I wore it to a few conferences and received rave reviews, with people asking me where they could buy it from. We listened and are now selling them in the FPF store! They're union printed, 100% cotton and very cool.
