Group comms options?

Hey all, nice forum!

I'm looking for tech that would support secure group comms amongst a fairly large group of journalists. The goal is to do substantive discussion of collaborative work, so think mailman, Discuss, etc. - not Slack or Telegram.

At the same time, we're talking about a variety of threats, including smaller state-level attackers. Participants are very varied in their background and training - generally have a pretty good, but not hard-core, security awareness. Obviously, not tech nerds and can't be bothered to do the really weird shit.

The thing we're playing with right now is schleuder, which basically mixes up a classical mailing list with GPG. This freaks me out because I don't think it's particularly intuitive, and because it means that one lost private key makes an entire archive decipherable with no way to react.

What ideas do people have on dealing with this? Tools, mainly, but perhaps also strategies.

It sounds like you're talking about working on a personal computer, is that right? It sounds like persistence is important here. It also sounds like metadata is not the huge concern, but rather, the content.

Yes, exactly:

• Most of the participants would be working on their private laptops or company-issues machines, some of which may even be Windows boxes with limited rights.
• Persistence is important, search is desirable but not a show stopper.
• Metadata-wise, the participants are generally known to be members of the group, but if there's an option to make the amount of activity less obvious, that'd be a bonus.

Have you considered the Whatsapp web client? Signal protocol encrypted groups, persistence, file transfer, phone calls... Doesn't hide metadata from Facebook but I suspect that's not a problem for you.

I just don't think chat will really cut it for collaborative work, where people might want to do a few paragraphs with links, lists etc - and allow for a delay between in one thread of the discussion while others continue in the mean time.

(Why is it, anyway, that all crypto tool discussions and development in the last two years seem to be about chat apps? Have I completely missed out on The Millenials attaining world domination?)

A legal concern where you have logs is that courts can subpoena records, or search archives pursuant to a warrant. You may or may not know that you can't (usually) be compelled to give over your passphrase, but relying on so many people to know that they don't have to give over or enter their passphrases is troublesome, because people can be tricked into consensually decrypting their endpoint, which would then give access to everyone's communications. Something to consider, if you don't have a forward-secure messaging option.

Does anyone know what the group of journos used to review the Panama Papers? It sounded like there was a whole mini-social-network-style collaborative environment, complete with 2FA logins.

Thanks for those broader considerations - similar considerations have lead me to argue that in this case a centralised server in a well-understood legal regime would be preferable to having too many things stored on people's machines.

Re ICIJ: They used a modified version of oxwall with 2FA, HTTPS, and a randomised domain name (?). From what I know, their notifications aren't public yet (?), but I'll check up on that.

A server in a safe domain is probably the best you're going to get.

Some of the Panama Papers folks talk about using Oxwall / the Global I-Hub here. Haven't seen a public rollout.

Oxwall would make me nervous because it's complicated PHP software, and "complicated" + "PHP" are problematic attributes for secure software.

Also: popular web forum/community packages are reasonably high on the list of priorities for state sponsored vulnerability researchers, because they're used by criminal groups. (Some anecdotal evidence backs this up).

I think the grugq is correct as usual: keep it very simple, use a safe server, use PGP if you can but count on HTTPS for most of your cryptographic security.

Two things I might avoid:

• Group email of any sort. Email is treacherous to secure, and even if you can get everyone on the same PGP regime, everyone in your group will now have multiple unencrypted copies of every message stored in their mail client; it's an OPSEC nightmare.

• Secure group messaging applications. The track record for the cryptography of these things is not good.

If it was me, I might just want a very carefully configured HTTPS web server running something like Atlassian Confluence (every F500 security team in America has at some point tasked a pentesting team to whack on Confluence, which is written in Java).

(I hate Confluence, like, as an application, just for what it's worth).

I agree it's partially a generational thing. But you can get a lot of work done by chat, and thread equivalents by creating multiple chats. Chat apps are also interesting from a security point of view because email security failed so bad.

Do the smaller state actors include those who are featured on the google transparency report? If not, I want to summon @harlo (if @ work in this context). Schleuder is a beast to manage. I have not given it much look, but I ask the community here about https://sandstorm.io/ It's ease of setting up a variety of apps is useful, its security seems better than the other options as far as collaboration.

What about crabgrass? Still does not have a way to use GPG but it is much easier to use than schleuder.

https://we.riseup.net/crabgrass/frequently-asked-questions
https://we.riseup.net/riseup+crabgrass/we-riseup-net-over-tor

Thanks for that link, gaba! Going to check it out.

I agree with the general consensus here that email and mailing list-based systems won't do any longer for the same reason @tptacek mentions (re: email, that is.) There's not much standing in the way of a state actor, large or small, gaining access to the entire list via any one of its many users. That's the path of least resistance and that won't get fixed no matter how securely the mailing list is set-up. This was also mentioned up-thread (thanks, @exvxs), so let's agree to say no to mailing lists for these purposes for now on!

Also agree that chat apps (signal/whatsapp) aren't right for this purpose, but mainly because their ux is too limited for the type of interactions you're looking for.

So, now platform apps (like Discourse, which runs this forum) are in. But, for group comms of a highly-secure nature, not all of them are suitable because there are a lot of baked-in bells-and-whistles which could enable sneaky user fingerprinting.

I suggest we establish a checklist to evaluate group forum platforms, and take it from there. Here's a starter:

• Pseudoanonymity for users
• Email not required to create an account, and the ability to turn off all external notifications (i.e. don't ping me when someone "likes my post")
• Nimble self-hosting deployment (i.e. over Docker)
• (Semi-)easily configurable logging for administrators
• Users turning off javascript won't break everything (because, access over Tor is a must!)
• Doesn't rely on massive CDNs
• Doesn't talk to 3rd party asset managers like Gravitar (not sure what the term for that is...)

What else?

Super agree with @gaba about Crabgrass; the most important aspect being that Crabgrass is still usable over Tor when you turn javascript way down, or even all the way off, if you don't mind losing a lot of interactivity.

Tried Wire at all?

Not sure if it fits what you're looking for but created by former Skype devs, uses Signal protocol, available on Desktop, iOs, Android, hosted in Switzerland.

Allows for encrypted file sharing, group chat, phone calls and video chat. Obvious metadata issue (could always run through tor) but easy setup and use for beginners.

https://wire.com/privacy/

It has a very decent UI/UX but:

Where does it say that it uses Signal Protocol?

Does it have a public code audit?

Also "hosted in Switzerland" means nothing. We all know the Crypto AG story....

I use Sandstorm with a small team at the North Star Post and it's pretty easy to use. There is a pretty decent catalog of apps at https://apps.sandstorm.io/ and it should continue to grow. The development team is also interested in the journalism use-case and they / the community is pretty responsive to requests for new webapps to be ported.

The main apps we use and their use cases:
Etherpad - collaborative document editing
Rocket.Chat - Slack-like web chat [support for the rocket.chat mobile apps on Sandstorm looks like it's very close]
WeKan - Kanban board (handy to track story beats), like Trello
File.Drop - simple file sharing

I also use Gogs for git repos on a data journalism project. It's pretty awesome, but I'm the only one on the team using it at present.
There are some wikis as well, but we've generally just used various Etherpads

The security model for Sandstorm is pretty thorough and interesting. You get some pretty good compartmentalization from the start. It's still very new though, so we would not rely solely on its security for extremely sensitive work.

We also use Signal for short mobile messages

Query:

What does "substantive discussion" mean?

I'm asking because interested in why something simple like whisper systems / signal is not any good for you? As in, what are the limitations (before I go out and convince other techphobic journos like me to use it)?

thanks for any advice!

What I mean by "substantive discussion" is going beyond friendly chatter, into exchanging lead lists, shuffling around documents and spreadsheets to the whole group, describing more complex story leads in some detail -- this kind of stuff that just doesn't lend itself very well to a chat room type of interaction.