[liberationtech] StoryMaker - opinions

Wed Jul 24 18:53:33 PDT 2013

On 07/24/2013 01:42 PM, Bill Best wrote:
> I understand that some people on this list are involved with StoryMaker

Yes, we are! I can speak to some aspects of the project, but I
hope/expect my colleagues at Small World News and Free Press Unlimited
may also have something to add to this discussion.

The current release is our public beta 1. Active development is still
underway, including a focused development sprint on adding additional
security features (more on that below), and working through a deep audit
of the Android app.

> The StoryMaker literature mentions a number of times that the app is to
> be used for "safely reporting and sharing stories" and I wonder how this
> has been substantiated - with particular regard to the fact that it is
> expected that this app will facilitate free journalism in thecing
> (hopefully) emerging democracies of the Middle East:

At a high level, there is quite a bit of value in the core function of
the app, that lives up to the safely reporting and sharing stories
claim. First, the app itself is a completely self contained media
capture and editing solution for audio, video, photo journalist content.
It can run on an Android device with full disk encryption enabled, and
be used to create well shot, edited stories even if there is no internet
enabled.

In short, since it does not require a cloud backend, or require you to
upload media, it by default, provides more control to the journalist of
their content and sources. You can even share the fully rendered stories
from the app via bluetooth, NFC, wifi mesh or other peer-to-peer
mechanisms, making it an excellent tool for use in internet blackout or
filtering situations.

More specifically, the current public StoryMaker beta offers support for:

- integrated Tor / proxy support for all network traffic
- a custom YouTube video uploader file that integrates with Tor, Google
OAuth (helps with 2-factor accounts) and improved HTTPS verfication (to
defend against man-in-the-middle)
- an entire curriculum module focused on Security for journalists in
practice

The current app also uses SQLCipher to encrypt all of the project data,
but we just haven't exposed the ability to set a password, since we had
some usability concerns to work through.

Right now, the next major development cycle is underway, with the work
including the following r&D:

- Full encrypted, password protected storage of story data (SQLCipher +
CacheWord support)
- Optional import to encrypted storage of all media files post-capture
(IOCipher)
- Optional real-time encrypted media capture direct to IOCipher
- Integration of ObscuraCam features for photo and video redaction,
anonymization, etc.

Some of the features are more stable than others, but we expect all of
the work will get into the primary app over the next few months.

> It would be interesting/useful to know how StoryMaker can offer to
> protect a user's safety or, as no absolute guarantees can ever be made,
> up to what degree of security can be expected from this app. So far, I
> have found a short reference to users "are able to send data from their
> smartphone through the Tor network making it difficult to trace".

This is the primary security feature of the current beta - integration
with Orbot, Tor on Android, for all network traffic, including upload to
YouTube, and retrieval of lesson curriculum.

> StoryMaker looks an excellent app and we are looking at its use by
> citizen journalists.

You can keep up with the project roadmap, open issues, and more here:
https://dev.guardianproject.info/projects/wrapp

There is also a project mailing list here:
https://lists.mayfirst.org/mailman/listinfo/mrapp-dev