SecureDrop On-Site Training Schedule

This is a high level schedule for what happens for the 2 days during an on-site install.

Day 1: Preparation and Install

Setup and Introductions

Time: 30min

Participants: all

Required: projector, WiFi access, pre-configured demo SecureDrop instance and 2 laptops to act as the Journalist Workstation and SVS

  • The demo instance has multiple sources to try and give a feel of what it will look like at 2 weeks past being public with sources in different states of the reply process

Overview of SecureDrop

Time: 2 hours

Participants: journalists, editors, SecureDrop admins, OSSEC alert recipients and anyone else interested

Questions

Time: 30 min

Installing SecureDrop

Time: 6 hours

Day 2: Journalist and Admin Training

Journalist Training

Time: 2 separate sessions, about 2 hours each

Participants: journalists and admins

  • Check access to previously created Tails USB
  • Generate personnel GPG keys
  • Setup KeyPassX manager (one for SVS, one for personnel Tails)
  • Options between YubiKey/Google Authenticator app for 2FA (SSH, Journalist Interface, FDE and password managers)
  • Secure-deleting and difference between wipe and erase free space on Tails, and when to use each
  • Disaster recovery for 2FA and password manager, personnel GPG keys
  • Updating Tails
  • Backing up the SVS
  • If needed, process for distributing the Application’s private GPG key to a distant journalist’s air-gapped SVS
  • Do complete journalist process walk through twice, either on different days or between morning/afternoon sessions
  • Using MAT (Metadata Anonymisation Toolkit)
  • What to do for unsupported formats

Admin training

Time: 2 hours

Participants: admins

  • Check access to previously created Tails USB
  • Generate personnel GPG keys
  • Setup KeyPassX manager (one for SVS, one for personnel Tails)
  • Options between YubiKey/Google Authenticator app for 2FA (SSH, Journalist Interface, FDE and password managers)
  • Secure-deleting and difference between wipe and erase free space on Tails, and when to use each
  • Disaster recovery for 2FA and password manager, personnel GPG keys
  • Updating Tails
  • Setting up SSH aliases for the admin Tails workstation
  • How to use screen or tmux to help prevent being locked out of the system
  • Adding packages to Tails
  • Go over common OSSEC alerts for security updates and daily reports
  • Disaster recovery for application, remote access and SVS
  • Common admin actions
  • Adding/removing users
  • Enabling logging
  • Sending logs to FPF
  • Generating new Tor hidden services
  • Updating application’s GPG key
  • Re-IP’ing
  • Backups
  • Disk space monitoring
  • Updating SMTP and OSSEC alert configs
  • Changing passwords (for FDE, persistent volumes, 2FA, KeePassX managers...)
  • What will happen to local modifications to prod system after updates
  • Updating SecureDrop Application
    • Unattended upgrades
    • Upgrades that require admin intervention