-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Finalize document export approach #84
Comments
yes, you can script attaching a USB device to a disposable VM; i wouldn't know off the top of my head what's the safest and most-efficient way to do it yet, though. once you get that sorted, it's pretty simple to leverage basic luks-encrypted utilities via nautilus or veracrypt (if you include it in the disposable vm template) to push media into "cold storage" |
There is a first proposal for an architecture in the current README in this repository (in short: copy files to Is this the architecture we want to use? There are two major problems the final architecture should mitigate against:
Let's explore/test some additional options. If we do use disposable VMs, we'll have to think more about batch exports to avoid user frustration. |
DisposableVMs seem perfectly suited for this task, and I think automatically attaching it would make sense (and especially would guard against a user attaching the usb device to the wrong vm, like The most straightforward implementation would likely have Redaction/Sanitization:In the current model, if they are copied from sd-svs, they are likely not redacted/sanitized, so there may need to be an export flow from the EncryptionWhatever is running in |
As the users experience the export flow, I'd like for the whole thing to feel natural enough for our parents to walk-up and feel completely comfortable with it. I appreciate that security and Qubes mandate extra precautions; I do. I also know that EVERYONE wants to see a primo UX result from all our hard work. In service to that shared goal, I submit the above nudge on technical dependencies that may impose extra steps in the export process' UX. Just a nudge. I know you guys have a lot of work to do. :) Our users are unlikely to be major consumers of FOSS products, or maker/DIY-minded (as most American FOSS consumers tend to be)... so that extra push from us in service to their comforts, will go a long way wrt building the confidence to dive deeper into technical unknowns—which, bigger-picture, is the broader goal in shaping safer behaviors in folks. |
Another option may be the new persistent-name DispVMs introduced in Qubes 4.0. Like classic DispVM, they are stateless and are based on a DVM template. Unlike classic DispVM, they have a persistent name, e.g. disp-sds-export, and metadata. Once created, you can open its qubes settings from CLI ( marmarek describes the creation process here: https://groups.google.com/d/msg/qubes-users/LB9f9OSWCzM/Grsk5VDjCQAJ |
For the 4/17-5/1 sprint, @eloquence will provide a more detailed summary of the currently UX-prototyped workflow and the underlying assumptions re: Qubes VMs; @emkll will then do an initial technical and security investigation, aiming for a first iteration implementation proposal we can consider for the n+1 or n+2 sprint. |
^ @emkll requested the latest prototype(s) for Export, yesterday. The two options being considered are linkable w/ brief prototype-specific details, here: https://github.com/freedomofpress/securedrop-client/wiki/Styleguide%28ish%29#export-functionality Yep, I updated the Briefcase flow to reflect the latest VisDe updates, too. Still holding-out hope that it might get in for Beta, but totally understood if not. :) |
So far, we have mainly focused on the "briefcase" flow, where you essentially have a staging area for exports within the SecureDrop client, then spin up a disposable VM when you're ready to export. In the UX meeting last week we discussed whether it might be possible to have a much more lightweight workflow for managing exports. If it is feasible to initiate a disposable VM for each session (either client login session, or Qubes login session) which has the required USB device access, any files exported during the session could be exported to the same VM. That would eliminate the need for an export staging area in the client, significantly simplifying implementation. It would also improve performance given the reduced number of VM spin-up/tear-down cycles. @emkll, @rmol, @redshiftzero I would suggest that we plan to research that specific question through some targeted prototyping in Qubes; does that make sense to y'all? |
Following several discussions with @redshiftzero and @rmol , as well as all the excellent input provided above, I propose we proceed with the following, unless anyone has any objections: sd-client in sd-svs
sd-export-template
sd-export-disp (persistent named DispVM suggested by @airelemental above, and based on sd-export-template)
I think a disposable VM for each session could work, if we take care to mount/unmount the drive each time we perform a write to the disk. We don't want to introduce further complexity around adding disk management state to the export VM, as the files aren't exported to the VM but rather written to an external device mounted in that VM. We must ensure that USB devices that are unplugged without being ejected and result in corrupted exported data. Note however that if we want to incorporate convert-to-trusted-pdf in this flow, this itself will introduce a dispvm cycle. Before mounting the USB device, dom0 needs to attach it to a VM. So far, there seems to be three ways to achieve this: Given the potential for user error, options 1 or 3 seem most prudent, and 2 and 3 provide the most flexibility. |
@emkll It would be ideal if we could have one/singular sd-disp-export VM for all documents to be saved to, from the Client—for printing, redaction or safe-PDF tools use, onionshare, or saving to a USB drive. Am I reading your assessment correctly, that you'd rather have a different disp-VM for printing vs saving things to USBs and Onionshare? That seems like it'd be very confusing to users... tho admittedly, not as confusing as using Qubes' devices widget. I've grown increasingly fond of the idea of having one single "Briefcase" disp-VM, that all files for use with peripheral devices or onionshare, get saved to. As you noted in your recommendation, each one would be ephemeral to each authenticated session—but a single destination disp-VM will spare users the cognitive/process burden of deciding how they wish to act upon files before exporting them... and may also spare users the need to multi-export to multiple VMs (printing and saving). If I understand your recommendation correctly. The device auto-attach is pretty important too, though. Is it a binary one-or-the-other to keep security high? Could a "safe" printer get designated for each workstation laptop—as that one peripheral is unlikely to ever change? Yeah, journalists love to print—but we also don't know if that's because treeware is the only tool they currently have for scrubbing metadata, their only means to share files at the moment, or other motivations. Looking forward to studying your recc more closely/carefully! |
The intent is for sd-export to be disposable (its state shouldn't persist across sessions/reboots), and used for both printing and exporting to a USB drive. I think it would be best to abstract the details away from the user, and not persist any data in the sd-export vm: it should be stateless. Introducing state will likely be complex to maintain from a technical perspective. In the context of the export flow (in the case described above, usb drives), we want the export to be an atomic operation initiated from the client in sd-svs and requiring no further interaction from the user. The user should not even be aware of sd-export.
Yes, we could probably set per device (vendor/model, but no serial number) rules to auto-attach to the export VM. The printing flow is still a bit unclear to me (I am not sure if one could trigger a print via CLI to avoid user interaction in sd-export other than them changing the print settings like duplex or other). |
Thanks, @emkll, for putting this together. The idea of an essentially stateless "pass-through" VM for export definitely has a lot of appeal. I think we'll want to contrast it with a "staging area" VM which could serve as a starting point for redaction, printing, or export. Perhaps these two concepts are even complementary. Either way, automatically attaching storage devices would be a huge win for usability. Our research shows that the device attachment process is quite confusing; even with guiders, users struggle to make sense of it, and may also fundamentally misconstrue what it is they're doing. Questions:
|
Very cool, thx for the clarification @emkll. Yes, we're in total agreement then, on general interests (my expectations are/were also that it'd be disposable per session‚ tho I probably confused that via incorrectly attributing tying that to authentication). |
Yes, given how easy it is to lose/misplace a usb device, I think we absolutely must enforce encryption of the device and/or the exported submission in some way. While full disk encryption is probably best to reduce metadata should the disk be lost/compromised, there are several other ways we can encrypt these exports:
I think the "export launches Nautilus" flow you describe sounds interesting, but would be curious to see how well this will work in practice. Provided comprehensive training and documentation this approach seems more flexible for an end-user. However, this VM will possibly have network connectivity (onionshare), it would be best to keep this on the rails and automate as much as possible to minimize potential user error, given the complexity of Qubes. |
So, thinking this through a bit more, @emkll, I think that the approach you describe would work well with the "add to briefcase" workflow prototyped here (click pink arrows in top right to advance). In this scenario, initiating a batch "Export" operation would do the following:
Once they have done both, the export would be performed via the passthrough VM as described in your diagram, and encrypted symmetrically via gpg using the provided or generated passphrase. For more advanced users, we could offer an "export to file manager" option. This would copy the files to the VM (using the same disposable VM template) instead of directly to the storage device. On that VM, the user could then attach/detach devices, and perform other operations such as "convert to trusted PDF". RationaleWhile I was hoping we'd be able to avoid the full complexity of the briefcase flow, in almost any export workflow that involves multiple files, without an "add to briefcase" workflow within the client, we'll likely have to prompt the user multiple times in annoying ways (passphrase, "attach storage device now", etc.), and we might also have to incur the disposable VM launch penalty multiple times. The "Add to briefcase" flow has the big advantage that whatever we need to ask the user, we can ask them exactly once -- before they start an export operation, whether it includes 1 file or 1000. Additional considerations
|
For the 5/15-5/30 sprint, we committed to a CLI-only proof-of-concept implementation of the passthrough VM approach described in Mickael's comment, to aid in further UX prototyping that is more closely aligned with what's technically feasible. That should ideally include the automatic mounting of a storage device, but the scope of the proof-of-concept will be constrained by a 16 hour timebox. @rmol and @emkll will likely drive this proof-of-concept. A video (screencast or cell phone recording) would be very helpful for UX purposes. |
Had a quick chat w/ @redshiftzero @rmol @emkll today. Recap of my understanding based on this conversation:
Open Questions: Passphrase ManagementWe had consensus that we want to generate a diceware passphrase for the user, and that the passphrase would likely be per-workstation (not per-user, per-session, or per-export). The export passphrase mainly mitigates against operational security failures in managing the storage device. That said, the following open questions remain:
Input from both a security and a UX perspective on these questions would be appreciated. I'll take a first stab of my own at that in a follow-up comment. Beyond single file exportWe've agreed for now to treat single file export as the first iteration. Support for printing or other advanced features ("trusted PDF" etc.) may slip into post-beta territory. That's a big deal for newsrooms, who'd have to copy file to other machines for purposes like printing, so I would like to treat printing at least as a should feature, one we'll try very hard to keep in scope. But let's see what hurdles we encounter in this first iteration before making a final decision. |
@emkll @rmol I've blocked away some time for us to go over the workflow prototyped in #259, as well as other findings from your spike (currently scheduled for 6/5). What would be super-helpful prior to then is to have a series of screenshots, photos, or a cell phone video sequence documenting the export workflow described in #259, to help think through the user experience we may want to build around that. Is that something either of you would be able to provide? |
Capturing my understanding of the current consensus on open questions:
The user would be prompted on the first export of a given client session to enter the passphrase, after which it would be retained for the length of that session. (Detail to resolve: how to handle multiple drives with different passphrases.)
We would recommend that they use their existing password manager, most likely on their phone.
Because the workstation would not retain export passphrases beyond the duration of a session, this is not an issue. Since we have a starting point from which to iterate in |
Logic in latest IxD that will navigate users through export. Plopping here per @emkll request. Below, from current wireframes: |
Closing this issue per previous comment as I think we have broad consensus on the high level architecture and rough UX flow for the first implementation. For cross-cutting discussion for print & export, and to track all related issues, I've opened #290. |
After review / redaction, how does a document make it on to a USB drive?
Consider that we can permanently attach a USB device to a non-disposable VM, so UX might be best choosing the export or SVS options. In that case, how does the user easily copy redacted/reviewed submissions to the appropriate VM?
The text was updated successfully, but these errors were encountered: