
Mozilla Awards $365,000 to Open Source Projects as Part of MOSS - sohkamyung
https://blog.mozilla.org/blog/2017/04/10/mozilla-awards-365000-to-open-source-projects-as-part-of-moss/
======
hackuser
SecureDrop received $250,000 of it. Good for Mozilla, I think. Prior reviews
of SecureDrop in HN have raised questions.

 _The $250,000 given represents the largest amount we’ve ever provided to an
organization since launching the MOSS program. It will support the creation of
the next version of SecureDrop, which will be easier to install, easier for
journalists to use, and even more secure._

IMHO, given the rule that security must cost more to defeat than the target's
value to the attacker (i.e., if you are protecting a $1 million secret, it
must cost $5 million to defeat the security), I wonder if SecureDrop is
feasible:

How much would it be worth to know leaks to the NY Times (and every other
publication that uses it)? Some leaks turn into stories that move markets;
their value is potentially billions of dollars. Some determine the fates of
powerful individuals, organizations, political movements, and nations; their
value is existential to attackers. Can that really be secured? Doesn't it seem
likely that state intelligence agencies will dedicate the resources necessary
to hack SecureDrop? Based on that reasoning, $250K is a drop in the bucket.
Perhaps the news agencies would be better off posting a webpage advising
informants to mail encrypted USB drives, or leave them at dead drops.

There's a broader issue: What is the chance that the NY Times', and similar
publications', internal systems aren't already penetrated and monitored? Based
on the reasoning above, that also seems very unlikely.

