Category Archives: SecureDrop by Freedom of the Press Foundation

GlobaLeaks and SecureDrop: which is right for you?

GlobaLeaks and SecureDrop are both secure and anonymous document submission systems. However, there are important differences between the two that must be understood before choosing either.


Use SecureDrop to best defend legally privileged work, or when utmost security is needed.

Use GlobaLeaks if:

  • You or your organization needs an internal auditing and/or whistleblowing platform, a survey/questionnaire platform, or a file submission platform.
  • You or your organization does not have dedicated technical support to properly manage SecureDrop.
  • You or your organization wants to trial-run a secure and anonymous document submission system to understand the policy and procedural impacts before investing in SecureDrop.
  • You or your organization cannot monetarily afford the SecureDrop infrastructure.


  • Both systems are free software.
  • Both are regularly audited by independent software security firms, and the audit results are published.
  • Both use the Tor network to support user anonymity.
  • Both require consistent administration and updates to maintain software security.
  • Both require careful thought about the system’s physical security.
  • Both require careful thought about organizational policy changes and the organizational procedural changes.


There are many important consequences of their usability decisions. Always perform a careful threat assessment before deploying, and periodically after deployment.



GlobaLeaks aims for ease-of-use for both the administrator and users. GlobaLeaks only requires one small Ubuntu 14.04 x86-64 system with root or sudo privileges for installation and system updates. Anyone with basic Linux systems administration can install GlobaLeaks onto, for example, a $200 laptop. Freedom of the Press foundation recommends the Intel NUC for SecureDrop, and that is a good system choice for GlobaLeaks, too.

The administrator needs to be able to install GlobaLeaks onto an Ubuntu system, either Virtual Machine (VM) or computer. After Ubuntu is installed, the GlobaLeaks install script is super simple. Once the install script has completed, the end of the install script will report the Onion site for submissions and administraiton.

GlobaLeaks is incredibly flexible. An administrator could choose to install their GlobaLeaks instance in “the cloud” (someone else’s computer). But there are many security and legal consequences if you have someone else manage the service. The security consequences include the risks associated with hosting sensitive material in a virtual machine that is shared with an unknown amount of unknown people or organizations. Shared virtual hosting environments are notorius, especially if you are trying to keep the location of your Onion service hidden. Additionally, if your work is threatening to any adversary, getting services shutdown or losing access to materials is a higher risk if a 3rd party manages it.

My first encounter with GlobaLeaks was in 2012 when I met one of the core developers at a Tor hackathon. I was so inspired by the project that I wrote the first GlobaLeaks Wikipedia article to help bring attention to the project. Since I’m not a developer, information activism is one of the best things that I can do to support free software and the amazing people that choose to work on free software.

I’ve deployed GlobaLeaks for several small projects. One of the projects needed a secure and anonymous document submission system (non- privileged, professional work), and another needed a secure and anonymous questionnaire to support a privacy-technology workshop.



SecureDrop aims to be as secure as possible for both the administrator and users. Administration requires intermediate Linux systems administration expertise. Once SecureDrop has been deployed, administration can only be performed locally and is command line only. Further, it is ideal for there to be an administration team, but not everyone needs to have technical skills. It is very important to understand the different systems needed and the roles they play.

SecureDrop requires, at a minimum, four independent but low-power x86-64 computer systems. The four computer systems are necessary to properly compartmentalize specific SecureDrop properties for ideal security via defense-in-depth.

One of these computer systems is connected to the Internet, the SecureDrop web server. Contrary to the default option in GlobaLeaks, the SecureDrop web server is only accessible via Onion services. A second computer system connects to the web server for the sole purpose of event reporting. This is necessary so that if the web server experiences any issues, a dedicated, compartmentalized system will be alerted of trouble. The other two computer systems needed for SecureDrop should never be networked and are called “air-gapped”. One of the air-gapped computer systems is needed to perform administrative functions; namely, the creation of Tails Linux USB drives. The second air-gapped computer system is solely used for reviewing SecureDrop submissions. Both of the air-gapped computer systems run Tails linux.

My first and only SecureDrop deployment was for the ACLU of Washington, which is really incredible. ACLU-WA was many firsts:

– The first non- journalist organization in the world.
– The first ACLU organization.
– The first legal organization.
– The first organization in the Pacific Northwest.

At ACLU-WA, there was a desire to begin experimenting with secure submission systems as an alternative to existing, common forms of communication like e-mail and HTTPS forms that come with inherent vulnerabilities. This decision was made without a fully developed sense of what the myriad internal policy implications would be. We knew ahead of deployment that a system like SecureDrop would pose certain organizational policy and procedural consequences, but waited until after receiving our first submission to finalize all our administrative practices. Most importantly, we know that existing legal intake methods used by legal organizations pose concrete risks because they all depend on communication systems that are not designed to withstand certain passive surveillance systems.

I was not part of ACLU-WA staff or part of the technical team that installed SecureDrop. My voluntary role at ACLU-WA was to design the landing page, to create our advanced threat modeling page, to advise on website and SecureDrop hardening, and to advise on organizational policy changes.

Tor relay & Tor hidden service hardware picks, December 2015

This is the first publication of what I hope to be a regular exploration of dedicated, low-cost Tor relay and Tor hidden service devices. Your feedback will help me make these publications better, so please send me a note to: christopher at yawnbox dot com.


Help people identify well researched hardware ideal for Tor applications including relays or hidden services.

Top picks for December 2015

Low pick ($0 – $99)

Microsoft Store for $99: InFocus Kangaroo

The InFocus Kangaroo is highest performing $0 – $99 device that I’ve been able to find. For comparison, the Raspberry Pi 2 Model B has a clock rate of just 900 MHz. For $35, that’s pretty good. But it’s not just $35 because you would also have to buy a power adapter, case, and storage (USB, Micro SD, etc). The Kangaroo has a clock rate of 2.24 GHz and will surely out perform a Raspberry Pi, and if you live in the USA, you can physically buy one at a Microsoft Store. A reviewer on NewEgg claimed that they had no problem installing Ubuntu 15.10 onto the Kangaroo and that the networking devices worked without issue. The Kangaroo is Wifi only, but supports 802.11 a/b/g/n/ac (Ubuntu Server has no problem leveraging Wifi).

Low alternative

Starting at $35: Raspberry Pi 2 Model B
[WARNING: Raspberry Pi is generating weak SSH keys]

Mid pick ($100 – $199) for $149: Gigabyte GB-BXA8-5557

This is an AMD A8 2.1GHz but 3.1GHz in “turbo” mode. Three reviewers on NewEgg claimed that they had no problem installing Ubuntu 15.10 onto the GB-BXA8-5557 and that it runs very well. Ubuntu Server would run even better. This is the GB-BXA8-5557 product page.

Mid alternative

Microsoft Store starting at $169: Acer Aspire One Cloudbook 11

This option is a good one because everything is included: SSD, RAM, power adapter, keyboard, and monitor. The downside is there is no 1GbE port, but at least it supports 802.11 AC with a wireless chipset that is supported by Tails Linux and Ubuntu 15.10 Server. I recently reviewed this laptop exclusively looking at hidden services support. This Aspire laptop uses an Intel Celeron clocked at 2.16 GHz (yes, with AES-NI).

High pick ($200 – $299) for $294: Intel NUC NUC5i5RYK

The high pick focuses on one thing: the newest architecture CPU with the highest clock rate that is not split with hyper-threading (like an Intel i7). Intel i5’s commonly outperform all AMD desktop processors in single-threaded applications.


There are three foundations for picking Tor application hardware:

1. Tor’s strength as a privacy application comes directly from its global diversity. It is most important to realize that the top picks be based on low-cost and highly-available solutions, not overall performance.

2. Even with careful Tor protocol development, the security and health of the Tor network depends, in part, on the practices of Tor relay operators. In turn, the safety of Tor users depends on volunteer operators choosing well reasoned solutions. One easy way to mitigate specific attacks against Tor relays or Tor hidden services is to compartmentalize Tor-based services by using dedicated hardware.

3. As a sub-rule of both #1 and #2, no one company, either device or processor manufacturer, can be selected for all three Tor application hardware picks for any given month. Intel clearly dominates the low-cost AES acceleration, and for obvious reasons the Tor network cannot just use Intel processors.

That said, the performance-to-cost ratio of Tor application hardware is likely the reason why you are reading this. Foundation #1 helps define the three categories of picks:

1. Low Picks will be $0 – $99
2. Mid Picks will be $100 – $199
3. High Picks will be $200 – $299

If you have more money to put into dedicated Tor application hardware, that is amazing, and reading this publication might still help you.

Hardware crypto processing

It is important to consider AES accelerated processors because Tor is single-threaded and uses a 128-bit AES stream cipher.

Intel® AES-NI

The AES-NI extensions offer full hardware support for data encryption and decryption using the Advanced Encryption Standard, defined by FIPS Publication number 197. Four of the instructions support AES Encryption and Decryption while the other two support AES key expansion.

The AES-NI extensions have the flexibility to support key lengths of 128, 192, and 256 by processing the data block in 10, 12, and 14 rounds of cryptographic transformations. Since they are hardware-based, they also offer a significant increase in performance compared to the current software implementations.

Since March 2013, Intel has documented that software products that support AES-NI include OpenSSL 1.0.1 and Ubuntu 11.10.

Tom’s Hardware reviewed Intel’s AES-NI performance in 2010:

What is AES anyway?

CPU-based AES instructions start to make real sense, regardless of possible performance benefits. From a security standpoint, the processor may handle AES instructions in an encapsulated manner. This would alleviate the need for lookup tables that might provide data for side-channel cache-based attacks.

Other AES resources

You can read a highly-technical paper about Intel’s AES acceleration technology titled, “Intel’s New AES Instructions for Enhanced Performance and Security” (PDF).

Intel published a whitepaper in May 2010 titled, Intel Advanced Encryption Standard (AES) New Instructions Set.

Wikipedia has a technical-focused article covering the AES instruction set. details how to verify Intel AES-NI is available in the Linux CLI.

Intel processors with AES support

6th Gen i3 (Q4’15 – Q3’15)

Intel® Core™ i3-6100E (3M Cache, 2.70 GHz)
Intel® Core™ i3-6102E (3M Cache, 1.90 GHz)
Intel® Core™ i3-6100TE (4M Cache, 2.70 GHz)
Intel® Core™ i3-6100U (3M Cache, 2.30 GHz)
Intel® Core™ i3-6100H (3M Cache, 2.70 GHz)
Intel® Core™ i3-6167U (3M Cache, 2.70 GHz)
Intel® Core™ i3-6300 (4M Cache, 3.80 GHz)
Intel® Core™ i3-6300T (4M Cache, 3.30 GHz)
Intel® Core™ i3-6320 (4M Cache, 3.90 GHz
Intel® Core™ i3-6100 (3M Cache, 3.70 GHz)
Intel® Core™ i3-6100T (3M Cache, 3.20 GHz)

5th Gen i3 (Q1’15)

Intel® Core™ i3-5020U (3M Cache, 2.20 GHz)
Intel® Core™ i3-5015U (3M Cache, 2.10 GHz)
Intel® Core™ i3-5157U (3M Cache, 2.50 GHz)
Intel® Core™ i3-5010U (3M Cache, 2.10 GHz)
Intel® Core™ i3-5005U (3M Cache, 2.00 GHz)

4th Gen i3 (Q1’15-Q3’13)

Intel® Core™ i3-4370T (4M Cache, 3.30 GHz)
Intel® Core™ i3-4170T (3M Cache, 3.20 GHz)
Intel® Core™ i3-4170 (3M Cache, 3.70 GHz)
Intel® Core™ i3-4360T (4M Cache, 3.20 GHz)
Intel® Core™ i3-4370 (4M Cache, 3.80 GHz)
Intel® Core™ i3-4160T (3M Cache, 3.10 GHz)
Intel® Core™ i3-4160 (3M Cache, 3.60 GHz)
Intel® Core™ i3-4340TE (4M Cache, 2.60 GHz)
Intel® Core™ i3-4350 (4M Cache, 3.60 GHz)
Intel® Core™ i3-4350T (4M Cache, 3.10 GHz)
Intel® Core™ i3-4360 (4M Cache, 3.70 GHz)
Intel® Core™ i3-4150T (3M Cache, 3.00 GHz)
Intel® Core™ i3-4150 (3M Cache, 3.50 GHz)
Intel® Core™ i3-4110E (3M Cache, 2.60 GHz)
Intel® Core™ i3-4110M (3M Cache, 2.60 GHz)
Intel® Core™ i3-4112E (3M Cache, 1.80 GHz)
Intel® Core™ i3-4120U (3M Cache, 2.00 GHz)
Intel® Core™ i3-4025U (3M Cache, 1.90 GHz)
Intel® Core™ i3-4030U (3M Cache, 1.90 GHz)
Intel® Core™ i3-4030Y (3M Cache, 1.60 GHz)
Intel® Core™ i3-4330 (4M Cache, 3.50 GHz)
Intel® Core™ i3-4330T (4M Cache, 3.00 GHz)
Intel® Core™ i3-4340 (4M Cache, 3.60 GHz)
Intel® Core™ i3-4100M (3M Cache, 2.50 GHz)
Intel® Core™ i3-4130T (3M Cache, 2.90 GHz)
Intel® Core™ i3-4130 (3M Cache, 3.40 GHz)
Intel® Core™ i3-4005U (3M Cache, 1.70 GHz)
Intel® Core™ i3-4012Y (3M Cache, 1.50 GHz)
Intel® Core™ i3-4020Y (3M Cache, 1.50 GHz)
Intel® Core™ i3-4100U (3M Cache, 1.80 GHz)
Intel® Core™ i3-4158U (3M Cache, 2.00 GHz)
Intel® Core™ i3-4010U (3M Cache, 1.70 GHz)
Intel® Core™ i3-4010Y (3M Cache, 1.30 GHz)

Pentium (Q4’15 – Q2’12)

Intel® Pentium® D1507 (3M Cache, 1.20 GHz)
Intel® Pentium® D1508 (3M Cache, 2.20 GHz)
Intel® Pentium® D1509 (3M Cache, 1.50 GHz)
Intel® Pentium® D1517 (6M Cache, 1.60 GHz)
Intel® Pentium® 4405U (2M Cache, 2.10 GHz)
Intel® Pentium® 4405Y (2M Cache, 1.50 GHz)
Intel® Pentium® G4400T (3M Cache, 2.90 GHz)
Intel® Pentium® G4400TE (3M Cache, 2.40 GHz)
Intel® Pentium® G4400 (3M Cache, 3.30 GHz)
Intel® Pentium® G4500 (3M Cache, 3.50 GHz)
Intel® Pentium® G4500T (3M Cache, 3.00 GHz)
Intel® Pentium® G4520 (3M Cache, 3.60 GHz)
Intel® Pentium® N3700 (2M Cache, up to 2.40 GHz)
Intel® Pentium® 1405 v2 (6M Cache, 1.40 GHz)
Intel® Pentium® 3561Y (2M Cache, 1.20 GHz)
Intel® Pentium® 3560Y (2M Cache, 1.20 GHz)
Intel® Pentium® B915C (3M Cache, 1.50 GHz)
Intel® Pentium® 1405 (5M Cache, 1.2 GHz)

Celeron (Q1’15 – Q2’12)

Intel® Celeron® N3000 (2M Cache, up to 2.08 GHz)
Intel® Celeron® N3050 (2M Cache, up to 2.16 GHz)
Intel® Celeron® N3150 (2M Cache, up to 2.08 GHz)
Intel® Celeron® 725C (1.5M Cache, 1.30 GHz)

Atom (Q4’14 – Q4’13)

Intel® Atom™ E3805 (1M Cache, 1.33 GHz)
Intel® Atom™ E3815 (512K Cache, 1.46 GHz)
Intel® Atom™ E3825 (1M Cache, 1.33 GHz)
Intel® Atom™ E3826 (1M Cache, 1.46 GHz)
Intel® Atom™ E3827 (1M Cache, 1.75 GHz)
Intel® Atom™ E3845 (2M Cache, 1.91 GHz)

Atom for Smartphone and Tablet (Q3’15-Q3’13)

Intel® Atom™ Z3590 (2M Cache, up to 2.50 GHz)
Intel® Atom™ x7-Z8700 (2M Cache, up to 2.40 GHz)
Intel® Atom™ x5-Z8500 (2M Cache, up to 2.24 GHz)
Intel® Atom™ x5-Z8300 (2M Cache, up to 1.84 GHz)
Intel® Atom™ Z3570 (2M Cache, up to 2.00 GHz)
Intel® Atom™ Z3530 (2M Cache, up to 1.33 GHz)
Intel® Atom™ Z3785 (2M Cache, up to 2.41 GHz)
Intel® Atom™ Z3580 (2M Cache, up to 2.33 GHz)
Intel® Atom™ Z3560 (2M Cache, up to 1.83 GHz)
Intel® Atom™ Z3480 (1M Cache, up to 2.13 GHz)
Intel® Atom™ Z3460 (1M Cache, up to 1.60 GHz)
Intel® Atom™ Z3795 (2M Cache, up to 2.39 GHz)
Intel® Atom™ Z3775D (2M Cache, up to 2.41 GHz)
Intel® Atom™ Z3775 (2M Cache, up to 2.39 GHz)
Intel® Atom™ Z3745D (2M Cache, up to 1.83 GHz)
Intel® Atom™ Z3745 (2M Cache, up to 1.86 GHz)
Intel® Atom™ Z3770D (2M Cache, up to 2.41 GHz)
Intel® Atom™ Z3770 (2M Cache, up to 2.39 GHz)
Intel® Atom™ Z3740D (2M Cache, up to 1.83 GHz)
Intel® Atom™ Z3740 (2M Cache, up to 1.86 GHz)

Atom for Server (Q3’13-Q3’13)

Intel® Atom™ C2750 (4M Cache, 2.40 GHz)	
Intel® Atom™ C2730 (4M Cache, 1.70 GHz)	
Intel® Atom™ C2550 (2M Cache, 2.40 GHz)
Intel® Atom™ C2530 (2M Cache, 1.70 GHz)
Intel® Atom™ C2350 (1M Cache, 1.70 GHz)

Core M (Q3’15-Q3’14)

Intel® Core™ m3-6Y30 (4M Cache, up to 2.20 GHz)
Intel® Core™ m5-6Y54 (4M Cache, up to 2.70 GHz)
Intel® Core™ m5-6Y57 (4M Cache, up to 2.80 GHz)
Intel® Core™ m7-6Y75 (4M Cache, up to 3.10 GHz)
Intel® Core™ M-5Y71 (4M Cache, up to 2.90 GHz)
Intel® Core™ M-5Y51 (4M Cache, up to 2.60 GHz)
Intel® Core™ M-5Y31 (4M Cache, up to 2.40 GHz)
Intel® Core™ M-5Y10c (4M Cache, up to 2.00 GHz)
Intel® Core™ M-5Y10 (4M Cache, up to 2.00 GHz)
Intel® Core™ M-5Y70 (4M Cache, up to 2.60 GHz)
Intel® Core™ M-5Y10a (4M Cache, up to 2.00 GHz)

AMD processors with AES support

You might have luck finding AES support for a specific processor using

If you are new to AMD, this simple comparison to Intel may help guide you (from AMD Commercial Client Quick Reference Guide (PDF)).


A hardened Tor hidden service for less than $200

About this article

You will not understand this article if you do not have an understanding and appreciation for Tor hidden services. If you don’t even have an appreciation for Tor, you might like my article Comparing HTTP, HTTPS, VPN, and Tor with “snail mail” metaphors that looks at basic Tor operations.

Following my blog post A guide for journalists that need to defend their work from governments, I purchased a new, inexpensive Acer laptop and have reviewed it by configuring and hardening it to be a secure Tor hidden service with the intent of thwarting well-funded adversaries that may search for and discover its physical location. But first and foremost, journalists and other human rights defenders need safe spaces for their information and data, especially when moving around and crossing borders.

If I were a journalist and needed to defend my work from a wide range of threats, I would deploy several of these laptops in various geographical locations and configure them to automatically sync with to each other. People need to be able to document wrongdoing and safely transport their work to private systems; quite plainly, it is often not safe for people to carry valuable information with them due to government and corporate abuses.

Please note that I am not a subject matter expert at any of the systems that I discuss in this guide. There is always someone else that knows more than I do on specific topics, but I do my best to bring together many different knowledge areas to create a holistic, usable solution. What is “best” or “more secure” is relative to so many things. If you do not understand why you do or do not perform any of these actions, you should consider not doing any of them until you do. Operational security is hard and easy to mess up, so you need to be able to think carefully, independently, and rethink about your problems, often, as circumstances change.

Brief SecureDrop vs GlobaLeaks vs plain hidden service discussion

I believe that news and law professionals have an ethical obligation to implement SecureDrop when interfacing with the public. That being said, this guide absolutely must not be intended to support the public. This guide is exclusively for news media professionals, human rights investigators, or documentary film makers that need private storage accessible over the net.

SecureDrop has outstanding security features but it is a complex system that requires several physically-disparate systems to work together. SecureDrop doesn’t scale well due to time (education, installation, maintenance) and financial (hardware) costs. SecureDrop is not an option for the problem that this guide aims to help solve.

GlobaLeaks, on the other hand, is so easy to install it puts WordPress to shame. As long as you are comfortable with the Linux command line (yeah, I know), all you do is download the script, make the script executable, and then run the script. The GlobaLeaks script takes care of installation and prudent configuration. This guide, however, is more complex simply because hardware and software systems are not designed to withstand well-funded adversaries.

GlobaLeaks, once it’s installed, is completely configurable through a web interface. This guide will not look at GlobaLeaks configuration, you will need to research that separately. I will say that GlobaLeaks is a hardened web interface that makes it easy to upload whole files, including automatically encrypting any file uploaded to your GlobaLeaks server with a PGP public key of your choosing. It is at this point that we need to explore using a regular Tor hidden service.

A Tor hidden service, simply configured in the torrc file, is easily the most secure option if you only operating via the command line (ssh, scp, rsync, etc). If an adversary (accidental or purposeful) were to discover your private onion address(es), a CLI-only server has a lot less attack surface. But it also requires that you expose openssh and its dependencies. Probabilistically, an adversary discovering your Onion site(s) without first finding them physically is not likely. In my opinion it is more important at this stage of defense-in-depth thinking that you choose a solution that makes your job easier. This guide is written to support GlobaLeaks with an added hidden service for CLI operations.

Rsync’ing is probably really ideal given the use of Tor hidden services. Large file transfers may be problematic if your Tor circuits aren’t stable. Incremental backups are really great, even more so because you can perform an incremental backup on an entire encrypted volume and you don’t have to transfer the entire volume.

If you are a journalist or human rights defender and need a technical resource, I make myself available using the contact methods listed on my blog.

The new Acer Aspire One Cloudbook

The Acer Aspire One Cloudbook, also reviewed on Mashable, is a budget laptop that is, in my opinion, a good option for a Tor relay or Tor hidden service computer. The Acer with 32GB of disk storage was $189 (retail) at my local Microsoft Store. After asking about, smiling, and receiving a 10% student discount, the total was $186.43 after tax. There are also 16GB and 64GB models of this laptop.


Acer AO1-131-C1G9
Mfg date: 2015/07/30
Series: AO1-131
Model: N15V1

Important hardware specifications and security thoughts

The Intel Celeron N3050 is one of two reasons why this laptop is so valuable. This Celeron has the AES-NI instruction set, which means Tor’s encryption processing overhead is greatly reduced. AES-NI is traditionally used to speed up Tor relays, but it has the same effect on Tor hidden services if there are large file transfers taking place.

Low-hanging fruit problem number one: RAM. The second reason why this Acer is so great for Tor hidden services specifically is because the DDR3L SDRAM is integrated into the system board. This means, if an adversary were to discover the physical location of your hidden service, the RAM cannot be removed which mitigates all cold boot attacks. Combined with LUKS disk encryption, this Acer would have strong defenses against physical attack.

A nice perk is that this Acer has a TPM chip. Sadly, the laptop (either the eMMC drive or BIOS) does not support full disk encryption.

Last but not least, laptops, by design, have two great things going for them: internal batteries to withstand brief power loss, and power adapters that have built in surge protection. It is also quite slim, is passively cooled (it makes no noise), so is very discrete. You can throw this in a friend’s closet (because of its wireless connection) and would be easily forgotten. Keep in mind that if and when these systems (with BIOS and partition encryption passwords) power down, they cannot be started back up until you are physically present to enter in the passwords. Fortunately, I have personally seen Linux server systems have uptime of 600+ days. Tor will accommodate poor connections common with residential Internet.

Most regrettably, this Acer does not have a 1 GbE port. Fortunately the Wifi card is quite good and is recognized by Tails 1.7. For Ubuntu 15.10 server, there is some minor configuration editing needed to get the Wifi to work, but nothing crazy like driver installation. If you will not or cannot accept relying on Tor hidden services using Wifi, do not use this laptop.

If you need more storage space you will need to find a different laptop simply because of the security implications. The security implications are simple — we need to shut down all USB access, which is discussed below. From a management point of view, it is easier to manage a Linux client if there is only one storage volume — the one the OS is installed on. Never treat a solution like this as any manner of backup or archive, only as a transitional solution that is part of a broader information assurance plan. There are “desktop replacement” laptops that can support 2+ drives, and in those configurations it is possible to leverage hardware or software RAID (like RAID-1, mirroring) for storage-at-rest redundancy. Desktop replacement laptops, however, have RAM that is easily removable, and the threat model will have to be re-assessed.

Open question: I do not believe this Acer can have its eMMC drive upgraded. As far as I can tell, it is also integrated into the system board.

Low-hanging fruit problem number two: USB. If an adversary were to find the physical server, said adversary might perform a USB attack to extract important information from the system to support additional attacks, or they might modify the system in a malicious way to gain entry. There are three things to be done to mitigate USB attacks:

1. Verify that the first boot device in BIOS is the internal drive, and verify there is a high-entropy BIOS administrator password and a high-entropy BIOS boot password.

2. Configure the Linux kernel not to support USB (detailed below).

3. Optionally, close the USB ports with heat-resistant epoxy resin, and make sure the epoxy has fully cured before turning the system back on. For obvious reasons, only perform this step after you have a stable system configuration and are comfortable with the fact that it will not be possible to install another OS.

BIOS configuration for bootable USB drives

Enter into BIOS by pressing the F2 key during boot.

Main > Touchpad > select: Basic
Main > Network Boot > select: Disabled
Main > F12 Boot Menu > select: Disabled
Main > Lid Open Resume > select: Disabled
Main > D2D Recovery > select: Disabled

Security > select: Set Supervisor Password (max is 12 characters)
Security > select: Set User Password (max is 12 characters)

Assure that you use high-entropy passwords. Sadly, 12 characters is not a lot. But we can use complex passwords, so be sure to document them on a separately encrypted device. After some testing, I was able to determine which alpha-numeric and special characters this BIOS will accept, so here is a Linux command to generate a good 12-character passwords (15 passwords will print, so you can easily choose two of them):

cat /dev/urandom | tr -dc 'a-zA-Z0-9-=[];,.' | fold -w 12 | head -n 15
Security > Password on Boot > select: Enabled

Boot > Boot Mode > UEFI > select: Legacy

Verify USB HDD is first when preparing to install the OS. After the OS is installed, make sure the “EMMC : HBG4e 32GB” boot device is first.

Exit > select: Exit Saving Changes

Tails 1.7 test (just for fun)

I made a Tails 1.7 USB-bootable drive from a Ubuntu 15.10 system:

dd if='tails-i386-1.7.iso' of=/dev/sdb bs=16M && sync

Tails booted without issue. The trackpad on the Acer does not work with Tails, but this does not affect a Server OS. I used a USB mouse to navigate. The Wifi works great and Tor connected with no problem.

Ubuntu Server 15.10 x64 w/ GlobaLeaks

GlobaLeaks advises using the LTS versions of Ubuntu (12.04, 14.04), but unfortunately, the eMMC SSD (storage) is not recognized by 14.04. Ubuntu 15.10 has no problem seeing using the eMMC SSD. With the 32GB SSD, after Ubuntu Server is installed, 24GB is usable. I started by making my USB-bootable drive from a Ubuntu 15.10 system:

Disks (utility) > (select USB drive) > menu > Format Disk > (defaults) Format > Format
dd if='ubuntu-15.10-server-amd64.iso' of=/dev/sdb bs=16M && sync

Ubuntu setup configuration

  • I acknowledged that there are no network interfaces.
  • I changed the hostname to “Windows”.
  • I set an unattributable user name and long (64+ characters), unique password.
  • I selected my time zone.
  • I did not encrypt the home directory.
  • I selected: Guided – use entire disk and set up encrypted LVM (with a long (64+ characters), unique password)
  • I confirmed no automatic updates.
  • I did not install any additional services.
  • I confirmed installation of GRUB.

Find the on-board Wifi device name (the one after “lo”):

inconfig -a

Mine is called “wlp2s0”. Make sure your Wifi network uses standard DHCP with WPA2 security (like a normal home network should). Add all of this information to the interfaces configuration file:

sudo vim /etc/network/interfaces

Add these four lines:

auto wlp2s0
iface wlp2s0 inet dhcp
wpa-ssid 'SSID'
wpa-psk 'password'

Enable the iptables firewall with UFW, which, when enabled, blocks all incoming network traffic (that isn’t Tor).

sudo ufw enable

Start up the wireless interface and connect:

sudo ifup -a

Install GlobaLeaks

sudo apt-get update
sudo apt-get dist-upgrade -y
sudo shutdown -r now

sudo su
mkdir /etc/systemd/system/tor.service.d
vim /etc/systemd/system/tor.service.d/directory.conf

Add these two lines:



chmod +x

Yes, accept that you are using an unsupported system.

Once GlobaLeaks is installed, it will have printed out the onion address for the GlobaLeaks site. Now you can go there to perform your desired configuration:

Another hidden service for command line interface access

sudo vim /etc/tor/torrc

Uncomment lines 74 and 76 to active them:

HiddenServiceDir /var/lib/tor/other_hidden_service/
HiddenServicePort 22

Install openssh-server:

sudo apt-get install openssh-server -y

Configure SSHd (at a minimum):

sudo vim /etc/ssh/sshd_config

Comment out these lines:

#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Edit these lines:

ServerKeyBits 4096
PermitRootLogin no

Uncomment and edit this line:


Restart tor and ssh:

sudo service ssh restart
sudo service tor restart

View your new (second), command-line-interface only hidden service address:

sudo cat /var/lib/tor/other_hidden_service/hostname

Disable all USB

sudo vim /boot/grub/grub.cfg

There should be five different instances of the following line:

linux   /vmlinuz-'KERNEL' root=/dev/mapper/'NAME' ro

Each one of them needs to be modifed with “nousb” at the end, like the following:

linux   /vmlinuz-'KERNEL' root=/dev/mapper/'NAME' ro nousb

Here are the 5 line numbers that I found (in vim, typing “:” then the number, like “:143” then pressing enter to take you directly to that line):

sudo shutdown -r now

You can verify that USB devices are not initialized by your system by viewing the kernel log in real time and inserting USB devices (if no logs are created, then no new devices are being initialized):

sudo tail -f /var/log/kern.log

InfoCamp Seattle: The privacy web application called Tor

The Tor Project

How to: Use Tor for Windows

by Electronic Frontier Foundation

How to: Use Tor on Mac OS X

by Electronic Frontier Foundation


Spread the word about Tor

by The Tor Project


Everything about Tor

by Tom Ritter


NSA and GCHQ target Tor network that protects anonymity of web users

by The Guardian

Tor exit relays in libraries: a new LFP project

by Alison Macrina

Configuring a Tor relay on Debian/Ubuntu

Configuring Hidden Services for Tor

Tor: Bridges

Building Enterprise Tor Onions: Tips and Notes

by Alec Muffett

How to Get a Company or Organisation to implement an Onion Site, i.e. a Tor Hidden Service

by Alec Muffett

Tor Hidden (Onion) Services Best Practices

by Rise Up


The Official SecureDrop Directory

by Freedom of the Press Foundation

Organizations Supporting Tor: Help Us Help You!

by ACLU of Washington

City of Seattle could lead privacy and transparency efforts with SecureDrop and Tor

by ACLU of Washington

Tor outreach materials

by The Tor Project

Tails Linux

Orfox: Tor Browser for Android

by The Tor Project

Orbot: Proxy with Tor

by The Tor Project



City of Seattle could lead privacy and transparency efforts with SecureDrop and Tor

Draft 2

The City of Seattle has an opportunity to become the first city in the world to adopt cutting edge technology that supports personal data privacy, information security, and government transparency. SecureDrop and Tor, both free software solutions, independently designed and independently important, together create an ecosystem for government accountability.

Tor is an encrypted networking protocol used in conjunction with Tor Browser, an application that allows anyone to maintain confidentiality of certain personal data when browsing the Internet. Tor Browser is advocated to many underserved communities, like the Cambridge domestic violence prevention organization Transition House [1]. Similarly, Seattle Public Library discussed how they plan to support Tor Browser in a recent blog post titled, Online Privacy and the Use of the Tor Network in the Library [2].

Another Tor application is called “Hidden Services”. Hidden Services provide end-to-end encryption just like using “HTTPS” when connecting to your bank, but with the benefit of Tor routing that further protects personal data. There are many ethically-centered reasons why the social platform Facebook and the search engine DuckDuckGo provide their users access via Hidden Service, but mainly it is to give their users identity control.

SecureDrop is a secure and anonymous document submission system that employs Hidden Services. It is currently used by law firms like the ACLU of Washington for client intake, in addition to news media organizations like the New Yorker and the Washington Post for protecting journalist sources. SecureDrop would help satisfy the requirements of “internal institutional and external oversight mechanisms” discussed in the recently published United Nations Report of the Special Rapporteur to the General Assembly on the Protection of Sources and Whistleblowers [3].

According to Tor Project, Hidden Services provide a means for Tor users to create sites and services that are accessible exclusively within the Tor network, with privacy and security features that make them useful and appealing for a wide variety of applications. The potential of Hidden Services is huge, and much of it is yet to be explored [4].

To maximize trust building opportunities, the City should exclusively use free software when deploying technologies that interface with the public. Adopting Tor privacy applications would not just set a high bar for data privacy expectations, it would establish trust because anyone can independently review how the software works and how personal data is protected. There are several ways that City government departments could take advantage of these privacy applications. Each would provide real-world benefits that defend the rights of City residents:

1. Tor Browser

Deploying Tor Browser on certain City government computers, or supporting Tor Browser through explicit policy and education, would provide certain assurances about data privacy and demonstrate a commitment to web based data privacy initiatives. The target audience could be City government employees or the general public depending on location and goals.

Additionally, providing educational material to targeted groups of people about how to use Tor Browser effectively from personally owned computers will decrease the apprehension of accessing certain public resources or providing meaningful but anonymous feedback to specific City government organizations.

2. Hidden Services

City government organizations supply many web-based resources, but sometimes accessing these resources carry potential social or legal consequences that turn people away. These resources can be made available via Hidden Service, allowing people to access web-based resources with less stress.

3. SecureDrop

Internal: City government organizations can use SecureDrop to strengthen their commitments to accountability. By sharing a SecureDrop server address internally, organizations can deploy a dependable whistleblowing avenue, or a powerful tool for soliciting anonymous feedback.

External: Having SecureDrop for secure and anonymous document submissions would guarantee certain data privacy and information security protections because of the design of the system. Like Tor and other free and open source software projects, anyone can read about and comprehensively understand both the code and the operations of how the application is supposed to work. Public complaints, public feedback, perceived government abuse, and issues pertaining to the City of Seattle can all be securely and anonymously received with a publicly shared SecureDrop server.





Supporting SecureDrop with Creative Commons

Dear SecureDrop supporters,

As of writing, there are 17 organizations actively using SecureDrop [1] in order to support secure and anonymous document submission. This number needs to increase for redundancy and diversity purposes. In this post I will describe one important way to enhance SecureDrop adoption.

Administrators of SecureDrop are responsible for creating an HTTPS landing page with the goal of educating its visitors about the technology including the ideal ways to use their SecureDrop server. Organizations employing SecureDrop must write thoughtful and clear instructions for their landing page based on their unique organizational requirements and goals. Freedom of the Press Foundation has written a sample privacy policy [2] that provides a solid foundation for some of this landing page content.

Exceptional SecureDrop landing pages already exist, and The Intercept’s SecureDrop landing page [3] is one example. I believe there is always room for improvement, which I have detailed in a related post, The limitations of SecureDrop and Tor for whistleblowers [4].


To best support the use of high-quality information:

  1. Freedom of the Press Foundation should encourage SecureDrop adopters to license the semantic and/or graphics content of their respective landing page as Creative Commons Public Domain (CC0) [5] or Creative Commons Attribution-ShareAlike (CC-BY-SA) [6].
  2. Existing organizations employing SecureDrop should apply a CC0 or CC-BY-SA license to their SecureDrop landing page.

Tor Project already licenses their website’s content as CC-BY-SA [7] which is an important contribution in addition to their existing open source software.

SecureDrop is a complex security environment that depends on Tor. Tor Browser is also a complex security tool despite Tor Project’s usability achievements. Additionally, high quality SecureDrop landing pages explain that Tails Linux should be used instead of Tor Browser when submitting documents in order to mitigate specific security concerns. These are three independently complicated security tools that require clear and thoughtful information pertaining to their use. Of all of the possible users of Tor and SecureDrop, supporting the extreme security-sensitive population, whistleblowers, demands providing high quality information.

An unrestrictive Creative Commons license such as CC0 or CC-BY-SA applied to a SecureDrop landing page allows other organizations the ability to easily adopt high quality information. Applying an open license would help foster a stronger community of organizations working hard to best support possible whistleblowers. Having to reword complex security precautions because of copyright restrictions is a dangerous proposition given the limited amount of open source privacy technologies available.

Thank you!










To the extent possible under law, the person who associated CC0 with Supporting SecureDrop with Creative Commons has waived all copyright and related or neighboring rights to Supporting SecureDrop with Creative Commons. This work is published from the United States.

The limitations of SecureDrop and Tor for whistleblowers

The use of security software for the purpose of maintaining privacy boils down to physical safety. If you decide to take on the responsibility of educating someone about security software, you have an ethical obligation to provide a holistic understanding of the technology while being willfully transparent about your goals.

The Rule: You cannot let anyone’s idealism, including your own, fill in the gaps of what is not known about security software.

Privacy leaders, including organizations that employ or advocate the use of SecureDrop and Tor, must understand that any security technology that they choose to employ will be part of many delicate systems, including (in order):

  1. The user’s actual risks from external actors
  2. The user’s real life decisions concerning what, when, why, and how
  3. The user’s entire software environment
  4. What the software is capable of
  5. What the user wants

If you do not talk about these things in a targeted and meaningful way, you are violating The Rule. Tor, the protocol, is a means of probabilistically disassociating unavoidable network metadata generation from the user. SecureDrop, the environment, compartmentalizes information (cryptographically) and components (physically) to minimize metadata creation and to avoid vulnerabilities inherent with networking. 1, 2, 3, and especially 5 do not change what the respective security software is capable of. If you host SecureDrop and you choose to not inform the users about the security software that you want them to use, you are violating The Rule.

The following is one way that your organization could assist users with their secure document submission planning.

SecureDrop security and privacy advantages

1. Our SecureDrop system is under the physical control of our organization.

2. Connecting to our SecureDrop server is end-to-end encrypted because it is a “Tor hidden service,” a website that is only accessible through the Tor network. Information submitted through SecureDrop is cryptographically authenticated and private.

3. SecureDrop requires the use of encryption keys to maintain the confidentiality and integrity of the information that we receive. We keep our SecureDrop encryption keys on air-gapped computers that never connect to the Internet or our corporate network. Even if our SecureDrop server gets hacked or the physical hardware gets confiscated, the files and messages previously submitted should still be shielded from the attacker.

4. Using the Tor network helps mask your activity from anyone that is monitoring your Internet connection, and it helps mask your identity from anyone monitoring our Internet connection.

5. SecureDrop does not log connections, and your IP address or physical location is not disclosed to our organization because of SecureDrop’s dependency on Tor. Even if a government agency tried to compel our organization to provide logs, we could not do so.

6. It is very difficult or impossible for passive surveillance techniques to determine that you are interacting with SecureDrop. The use of a Tor hidden service prevents network traffic from ever leaving the Tor network thereby supporting anonymity and complicating any broad surveillance of entire networks.

7. Tor Browser is a portable application, so you do not need to install any software to access SecureDrop.

8. SecureDrop is free and open source software that is available to the public. Freedom of the Press Foundation hires an independent auditing company and publicly publishes the results.

9. Tor, the network protocol, and Tor Browser, the Internet browsing application, are both free and open source software that is available to the public. Tor Project uses Coverity and Veracode bug scanning software.

SecureDrop security and privacy warnings

1. If you believe that you or your computer system is under active, targeted surveillance, do not risk your personal safety by sending our organization sensitive material.

2. Presume that computer systems legally or physically owned by anybody but you are compromised and under active surveillance. Most corporate and government owned systems monitor and log activity. If they do not monitor or log activity, they still have legal rights to the hardware, software, and data on the device. Use a personally owned computer system that you trust.

3. An already-compromised computer will likely defeat the privacy protections that SecureDrop and Tor provide, such as keystroke logging, activity logging, or screen grabbing spyware. If you are at all suspicious of malware of any kind, use Tails Linux instead (see additional details below). Using SecureDrop presumes that your computer system is safe to be doing sensitive work from.

4. By default, Tor Browser does not save website history or website cookies. This data is ordinarily not recoverable after you close Tor Browser and fully shut down your computer. However, all mainstream operating systems betray their user’s expectations by saving browsing activity information in various ways. It is your responsibility to accept the risk that your computer may be physically confiscated and analyzed. Disk encryption can help mitigate this risk. Tor Browser is designed for privacy, but it does not mitigate the risk of local metadata generation since the operating system that it runs in is not designed for privacy.

5. Passive network monitoring and data retention are practices performed by all Internet Service Providers (ISP). They deliver Internet to your home, office, and every coffee shop that offers Wi-Fi. ISPs document all kinds of specific metadata, including the facts that someone is using Internet service and when, and that someone is generating Tor traffic and when. Places that offer Wi-Fi often have connection requirements like accepting a Terms of Service. This process dictates that it will be recording hardware identifiers that belong to your computer. Taking advantage of the Tor anonymity network allows you to distance what you are doing from the metadata generation inherent with Internet surfing. Tor Browser may help you mitigate certain data linkability risks, but it does not evade the risks entirely.

6. When using Tor, it is unlikely that passive network monitoring can determine the destination of your Internet use, including connecting to our organization’s SecureDrop server. Access SecureDrop from a public location that you do not regularly visit to help make unavoidable metadata collection by intermediaries or possible attackers less useful for identifying or targeting you.

7. Our organization’s website (presumably) employs mandatory HTTPS to protect all of our website visitors. Using standard web browsers such as Firefox or Chrome to access any of our web pages creates network metadata showing that you are visiting our domain, not this page specifically (presuming we’re NOT using a uniquely identifiable sub-domain). However, advanced network monitoring software can analyze the metadata of encrypted traffic to determine exactly which pages you are reading. Be conscious of who might use this information against you, and choose your Internet access carefully.

8. Using Tor guarantees that SecureDrop does not know who you are or where you are unless you explicitly share identifying information with us. If you are thinking about releasing information to us and doing so would put you in harm’s way, do not share personal details with our organization unless it is critical information pertinent to the disclosure.

Security problems that our technology cannot help with

1. If you plan on checking back for SecureDrop messages that are only accessible with your private codename, be sure to keep your codename private. Treat your codename like you would a bank password. Ideally, keep your codename on an encrypted USB drive that is only accessible by you.

2. If you expect a response from our organization via SecureDrop, do not email, call, or contact us via social media.

3. Do not share, with anyone, that you are sharing material with our organization unless you are advised by explicit legal representation.

4. Before utilizing public Internet access to leak information, consider your data’s linkability, your own risk profile, and your personal goals. Plan carefully. You may want to avoid using electronic payment systems including credit cards, debit cards, reward cards, or mass transit payment cards in proximity to the location where you make the disclosures. You may want to avoid using automobiles that are susceptible to license plate readers or have internal GPS or cellular tracking mechanisms. Leave your cellular devices behind at home. Pay with cash and be nice to everyone you meet, but of course, try to avoid interaction as much as possible.

Tails Linux

While not every person’s risk profile may warrant its use, Tails a free and open source operating system that you burn to a DVD or install onto a USB drive. Tails runs directly from that DVD or USB drive, meaning it does not get installed onto any of your computer’s internal disk drives. Tails is developed exclusively for privacy-minded individuals and forces all Internet connections over Tor. Using Tails to connect to our organization’s SecureDrop server resolves several problems that Tor Browser alone cannot, including:

1. Tails evades most forms of client-side surveillance software and malware. When you start Tails, it does not use or change your computer’s existing operating system, applications, or data. Tails loads into your computer’s temporary memory and allows you to access the Internet over Tor with a Firefox-like browser called Iceweasel. However, if there is a hardware surveillance system installed, or the system has been compromised at a deeper level than the operating system, Tails may not provide any privacy benefits.

2. Tails does not save any data to local disk storage, so all activity performed during its use is lost forever once you shut down the computer. Remember that Tails still creates network metadata when connecting to and using the Internet but with one exception: the hardware ID that wireless access points save is randomly generated and automatically shared when using Tails, not the real hardware ID for your computer.

For more information about Tails Linux, including installation documentation and good practices, please visit

Article feedback:

yawnbox AT riseup DOT net, GPG key

Article license:

To the extent possible under law, the person who associated CC0 with The limitations of SecureDrop and Tor for whistleblowers has waived all copyright and related or neighboring rights to The limitations of SecureDrop and Tor for whistleblowers. This work is published from: United States.