Hi,
On 10/14/2015 03:28 AM, sajolida wrote:
> Christopher Sheats:
>> On 10/13/2015 03:23 AM, sajolida wrote:
>>> Christopher Sheats:
>>>> I have interest in reusing some of the verbiage from the
>>>> 'Warning' page [1] because of its importance for SecureDrop
>>>> landing pages.
>>
>>> Cool! I'm the one who wrote most of it and "maintains" it at the
>>> moment though it hasn't changed much in the last 3 years.
>>
>>> So first of all, any feedback is greatly welcome. For example, if
>>> you think that some things are missing or too verbose.
>>
>> I will be happy to provide direct feedback, at least in the form of
>> how we remix Tails warnings applicable to SecureDrop.
>
> Ok.
>
>>> And also, I'd like to give it some more love in the next year or
>>> two to make it more efficient and hopefully shorter. Maybe by
>>> integrating it differently in the new download tool we'll release
>>> at the end of the year [1]. So if you have proposals regarding all
>>> this, they are most welcome as well.
>>
>>> Also, we could think about how you could reuse our content
>>> directly, without doing copy, paste, and modify. Would this help?
>>
>>> [1]: https://tails.boum.org/blueprint/bootstrapping/extension/
>>
>> Hmmm. This touches on a larger whistleblower support project I've been
>> thinking about. I think. I have been exploring ways to lower the
>> technical bar of threat modeling, at least in unique circumstances
>> (like using SecureDrop) where the expectations are so confined that
>> certain adversaries and vulnerabilities are known to exist and can be
>> discussed.
>>
>> With simple check boxes, a user could, possibly, tick their
>> requirements and goals and be given a narrowed threat model brief to
>> work from. Currently, of the 17 organizations using SecureDrop, threat
>> modeling is largely avoided even though there are certain adversaries
>> and vulnerabilities inherent with document leaking. A user is expected
>> to start only with solutions (SecureDrop and Tor, and maybe Tails if
>> they are up to it). This is unethical behavior in my opinion, for a
>> funded authority (a news media org, for example) to say, "it's too
>> complex, so we won't inform users at all".
>>
>> I will think about it more. Thank you.
>
> What you're saying here really make sense. Don't hesitate to keep us
> updated and we'll see if we can help you without our limited resources.
>
> Also, is there a list of these 17 organizations using SecureDrop? On
> https://en.wikipedia.org/wiki/SecureDrop there are only 9.
>
After emailing the Tails-project list, I published a blog post titled, "
Supporting SecureDrop with Creative Commons" (FYI)
https://yawnbox.com/?p=3720
Please use it if it will help you with any related documentation or
licensing change proposals. The list is on SecureDrop's site:
https://freedom.press/securedrop/directory
There are probably more sites than this, especially if you consider
private use cases such as inter-organizational whistleblowing.
Christopher
