Periodic Report
(Open Technology Fund)
December, 1st 2014 to December, 31th 2014
D1.5: Support installation with debian package only
D4.2: Introduce configuration profiles (ready-made submission fields)
D5.2: Make a major re-work on UX-design following a UX-consultancy and UX-usability improvement
D8: General definition of flood resistant framework
D9: Various Security Improvements
Tor2web Software Improvals and Maintainence
Executive Summary
During the December activities, thanks to the consultancy of JoyLab, we focused on UX improvements achieving a large set of improvements. Apart from this we worked also on the Packaging of the application and on its proper Internationalization; GlobaLeaks is now available with Chinese, Ukrainian and Japanese translations.
The activities resulted in the release of an important stable version (GlobaLeaks 2.60.42 (https://lists.torproject.org/pipermail/tor-talk/2014-December/036101.html).
A more detailed look at the activities carried on during the considered reporting period is in the following.
Details
As detailed in December milestone, the activities have been focused on the progress of the following sub-deliverables:
OTF-D1: Easier Installation
- OTF-D1.5: Support installation with debian package only
OTF-D4: Easier Configuration
- OTF-D4.2: Introduce configuration profiles (ready-made submission fields)
OTF-D5: Usability Improvement
- OTF-D5.2: Make a major re-work on UX-design following a UX-consultancy and UX-usability improvement
OTF-D8: Flood Resiliency
- General definition of flood resistant framework
D9: Various Security Improvements
The full list of tickets closed during the December milestone is available at:
https://github.com/globaleaks/GlobaLeaks/issues?q=milestone%3A%222014+December%22
Some of the activities are ongoing some discussions in order to spot the best implementation, thus have been postponed to the January 2015 milestone: https://github.com/globaleaks/GlobaLeaks/milestones/2015%20January
In the following, we describe the details of the work carried on for each deliverable listed as
a component of the December milestone.
D1.5: Support installation with debian package only
Starting from the release 2.60.42 GlobaLeaks includes the support for the following systems:
- Ubuntu 12.04 “Precise Pangolin”
- Ubuntu 14.04 “Trusty Tahr”
- and Debian 7 “Wheezy”
- and Debian Testing “Jessie”
The different packaging of GlobaLeaks is handled on separated Git branches and the releases are available at our official repository https://deb.globaleaks.org/ :
- https://github.com/globaleaks/GlobaLeaks/tree/release/ubuntu/precise
- https://github.com/globaleaks/GlobaLeaks/tree/release/ubuntu/trusty
- https://github.com/globaleaks/GlobaLeaks/tree/release/debian/wheezy
- https://github.com/globaleaks/GlobaLeaks/tree/release/debian/jessie
The new packaging is now kept under unit testing (https://github.com/globaleaks/GlobaLeaks) and we raised the code coverage up to 82% and we integrated the landscape.io service to monitor the pylint code quality indicators, and they are now up to 87%.
Starting from this release we are also tracking the Changelog in a rigorous way (https://github.com/globaleaks/GlobaLeaks/blob/master/CHANGELOG) and in order to build a community we are trying also to perform regular updates on relevant mailinglists (e.g.: https://lists.torproject.org/pipermail/tor-talk/2014-December/036101.html).
As result of this effort after the announcement we got 2 volunteers working on the platform; one of them is now working on globaleaks to perform a study for his master thesis in Germany.
The adoption of the software has been simplified (Installation Guide) by enabling user install it by means of the command:
curl https://deb.globaleaks.org/install.sh | sh
D4.2: Introduce configuration profiles (ready-made submission fields)
As already stated in previous report the most important work done during these initial months has been the refactoring of the low level data structures of the application, in order to enrich the possibilities of configuration of the submission interface and let GlobaLeaks evolve from a simple leaking platform to an important whistleblowing one.
During this month we achieved the score to integrate this refactoring and release it in the package 2.60.42 released last 22 December.
D4.2 is in a stage in which we will deal simply with bugfixing and little modifications in order to refine the work and improve it by minor modifications.
More details on the work done and on the corrections planned and to be finished please refer to the complete list of closed/open tickets related to this topic:
Closed tickets:
Open Tickets:
D5.2: Make a major re-work on UX-design following a UX-consultancy and UX-usability improvement
Following the suggestions provided during the consultancy we had by JoyLab.co.uk, the focus of the month activities has been on UX improvements.
During a 4 day long hackathon at Amnesty International offices held from the 2nd to 5th of December, various Saudi/Pakistan researchers have been interviewed before and after the design of the new UI mockups. During the month activities we worked on so to finish these interfaces.
Examples of the new interfaces are:
- https://cloud.githubusercontent.com/assets/217034/5418773/69bcbe54-8245-11e4-81e7-983c4dbf4e1e.png
- https://cloud.githubusercontent.com/assets/217034/5354327/dca80d7c-7f86-11e4-8985-d4a6045a98d3.png
- https://cloud.githubusercontent.com/assets/217034/5354329/e2746840-7f86-11e4-8430-1c23b610caab.png
D8: General definition of flood resistant framework
As part of the goal for the November milestone we tackled to finish the Implementation of some flood measurement capabilities that are needed in order to generically deal with the D8 deliverable.
In December has been accomplish and delivered. Now we’ve a new anomaly detection and statistic in place in the running node.
The goal now is:
- Collect for some time feedback from the adopters, in order to assess which is the real case use case
- Develop some testing tool in order to bring our implementation under attack
- Proceed with the planned ticket in order to complete D8.
Details on the work done can be found on the following tickets:
- https://github.com/globaleaks/GlobaLeaks/issues/937
- https://github.com/globaleaks/GlobaLeaks/issues/993
The UI offered by the new statistic module offers a graphic visualisation that enables to easily detect spikes of activities on the node and to understand what is happening.
D9: Various Security Improvements
Pickle objects stored inside the database have been replaced by JSON objects.
In fact due to some attacks performed in past to some applications using pickles various security quidelines suggest to not use them. Also if the real security is not impacted we decided to apply this change in order to not be furthermore criticized. The change applied reflects mostly onto performance of the appplication that now ssaves the 90% that was used by pickles and given that GlobaLeaks makes uses of SQLite (that has a db based on a single file) now globaleaks should perform better.
Next steps
In reference to the project plan, next activities are detailed in the January milestone.
Current selected tickets are mainly focused on the implementation of certain number of feature set and bugfixing that are important to be developed in order to support main initiatives like: AfriLeaks, Amnesty and the ALAC by Transparency International:
Next month research and development activities will be mainly focused on the following topics:
D1.5: Support installation with Debian package only
D2.1.:OpenPGP.js encrypted files for Whistleblower
D4.2: Introduce configuration profiles (ready-made submission fields)
D5.2: Make a major re-work on UX-design following a UX-consultancy and UX-usability improvement
D8: Flood Resiliency
Additional Activities
In December we progressed in supporting the following projects:
AfriLeaks
Afrileaks is displaying interesting challenge, overall:
- we have to fine tune our procedure for journalists. They have been trained, but the common habit of using windows and social network, represents a challenge when switching on Tails, encrypted email, GlobaLeaks UI for Receiver.
- Receiver (Journalist) has a different business model and working model than the one showed by Netherland experience of publeaks: we have to deal with a lack of propositive interest showed during the training the team kept in Africa last October, November
- It is important to collect the various stories published from the many news room, so to have a living archive of success stories integrated in a dedicated section of globaleaks interface
- A questionnaire to assess the skills learnt during the training in Maputo has been sent to all the journalists present in that occasion
- We identified and contacted 4 main newsrooms which will be the receivers at launch: Mail&Guardian, Global Witness, Savannah, Verdade
Tor2web Software Improvals and Maintainence
Given the good work performed on the GlobaLeaks packaging, we decided to apply the same approach to Tor2web in order to continue properly maintaining the software (developed thanks to the previous funding, and actually without a new funding) and make more easy and more secure to achieve such a goal. This is strongly needed, as Tor2web is an important component of GlobaLeaks that enable hidden services reachability by means of a traditional web browser in place of the Tor Browser Bundle.
So, for Tor2web too, the different packaging is now handled on separated Git branches and the releases are available at our official repository https://deb.globaleaks.org/ :
- https://github.com/globaleaks/Tor2web-3.0/tree/release/ubuntu/precise
- https://github.com/globaleaks/Tor2web-3.0/tree/release/ubuntu/trusty
- https://github.com/globaleaks/Tor2web-3.0/tree/release/debian/wheezy
- https://github.com/globaleaks/Tor2web-3.0/tree/release/debian/jessie
/