[xenial] Display advisory in Journalist Interface for instances running 14.04 (Trusty)

[eloquence]

Part of #3204, and a narrower version of #4001.

As discussed in sprint planning today, at minimum, as part of the 0.12.0 release of SecureDrop, we'll want to display a warning (on the Journalist Interfaces) on instances running Trusty (14.04) that it's time to upgrade. This should link to the advisory on SecureDrop.org, which will include the most up-to-date information about the process.

This can potentially be accomplished by ensuring that this feature is enabled only for the Trusty packages.

To allow for sufficient time for post-release on-site "canary" testing, I would recommend displaying the warning only after March 4, 2019.

User Testing

As a SecureDrop journalist or administrator, I want to be aware of major administrative issues concerning the security of my instance, so that I can ensure appropriate steps are taken to perform necessary updates.

[ninavizz]

Noting that I'll be posting mox to this Issue, sometime tomorrow.

[zenmonkeykstop]

@ninavizz for first draft of upgrade message I'm thinking something like:
"Your instance is running on an unsupported OS and must be upgraded to continue to receive security updates. For more information, see "

(If you're thinking of different warning levels, this one would be critical.)

[ninavizz]

Recommended banner/message/icon

Skully icon, Admin: https://drive.google.com/open?id=1pIp60_EBLRaosW8YRDtAmt_nixLh46B3
Skully icon, Journo: https://drive.google.com/open?id=1lLeHEduq5oh9a6kq2i7XBWcPIK6iN9DM
Circle-bang icon, Journo: https://drive.google.com/open?id=1VnlGMYrPwS86iwB1BmJd3nHwnBDR5V65

Rationale:

• The user has not made an user-error, so first and foremost—it's important for them to understand that. Secondly, their instance has not in fact, been compromised—but is now more vulnerable to compromise, than it ordinarily would be.

  • Is there a way to currently display to users that an instance has been compromised? This would be good to know.

• I'm inclined towards the skully icon, because this is a software end-of-life issue. Home automation and the ubiquity of tech in our personal lives, has made end-of-life concepts more common to non-technical users... hence, my comfort with that mental model.

  • My only hesitance, is that I don't want to confuse users with the idea their current instance may already be compromised.
  • Should the latter be too high a concern for others, my alternate suggestion is the circle-bang. I'm not keen on how close the dot is to the line on the exclamation-point, as it interferes with small-size legibility. Why not the existing triangle-bang? Because this isn't a user-error, and it's important to keep that symbology separate.

• Finally: I'm usually averse to using red in user messaging. The problem with red, is that it piques user anxiety—which can interfere with cognitive processes in resolving errors. Because the user has not made a task-related, immediately correctable error however, that is not a problem in this use case—and if anything, that anxiety is in this rare situation, seems appropriate.

Recommended message text

Critical Security: The operating system on your SecureDrop server has reached its end-of-life. A manual update is urgently required to remain safe. Learn More

Sought points to communicate to the user (a non-technical journalist, a nerdy journalist, or an admin) seeing this, in order:

1. You have not made an immediately correctable task-related mistake.
2. There is an urgent admin issue un-related to your tasks in this session.
3. You need to remember to act upon this once you've completed your current tasks.
4. The issue pertains to SD hardware outside the Workstation laptops & Tails sticks.
5. The issue pertains to the hardware most important to not be compromised.
6. Your current instance has not been compromised.
7. Your current instance is now vulnerable to compromise.
8. If you don't know who to communicate with about this, please contact SD support.

Note: At the VERY TOP of the article the above text links out to, non-technical journalists should be spoken to in a single sentence/paragraph that encourages them to contact support if they don't know whom else to reach-out to for help, should help be needed.

We learned from one customer in our recent user research, that their admin had left the org—and that the org had since been pokin' along without a SD admin, for several months. They'd "been meaning to" reach out to someone at FPF, but with the length of a journalist's to-do list, that was understandably low on the list. Their whole IT situation is in a state of transition, so the journos using SD also just didn't really know what to ask of FPF when contacting them.

It's important to give folks in this situation a direct connection with a human to help them resolve this, as to not leave them dangling with such a vulnerability. My partner in the testing engaged with this user to prod them a little more about why they hadn't already yet reached-out to FPF, and the uncertainty w/ accompanying "oh, y'know" list of reasons was long. That has to be spoken to, simply, boldly, and discoverably.

[ninavizz]

Suggested icons:
Skully (preferred): https://fontawesome.com/icons/skull-crossbones?style=solid
Circle-bang (alternate): https://fontawesome.com/icons/exclamation-circle?style=solid

[zenmonkeykstop]

👍 for skulls - one nit about the wording is that more than one server is affected. A SecureDrop instance has two, the application and monitor servers and both need updating. How about The operating system used by your SecureDrop instance has reached its end-of-life. A manual update is urgently required to remain safe. Learn More?

[zenmonkeykstop]

@eloquence if the March 4 thing is a requirement, it would probably require either some kind of cronjob to be set up via scripts in 0.12.0 (fun to test), a point release on March 4 to update the app, or logic in the app with hard-coded dates. None of these options sound great to me. Is there a downside to having it displayed in 0.12.0 from release?

[eloquence]

Mh, the reason I think it might make sense to have it show up with a couple of weeks delay after the release is a) it'll give us some time to incorporate any findings with canary testers & early adopters into the advisory, b) it'll help spread out the support load a bit through Feb/Mar. The advisory URL is specific to Xenial so I'm not sure how problematic it is to also have a hardcoded date? But let's kick it around a bit on Monday, happy to drop that idea if y'all think it's not worth the extra complexity.

[ninavizz]

@zenmonkeykstop Ya, @eloquence and I kinda went back and forth on the "server" vs "instance" verbiage in Slack, last week. "Instance" is meaningless jargon to non-technical users (same as the word "Source" is journalism jargon to most source users—hence my desire to see that word removed in source-facing documentation and landing page content).

I don't want to risk confusing the least-technical users seeing this, by use of a plural (or language) they may not understand. Users tend to blow things off they don't understand, and we obvs don't want that (also why the skull-and-crossbones icon). More technical users tend to be more curious and willing to learn more about things, by nature, hence my comfort with a word that's more "clear" to the point, than literally accurate wrt action needed. The latter, a proper article needs to outline steps towards resolution on.

Thoughts?

@eloquence Are you suggesting by "advisory URL" that the "Learn More" is currently planned to link-out to a page on the Xenial website? I'd rather create a unique article somewhere on sd.org or readthedocs that explains the situation in more detail (and within that text, communicate there's two machines involved). Per my note above, one of the first things a user needs to see is a more detailed explanation about what's going on... followed-up with actionable options, and then within there the next-steps for Admin users (and the Xenial site link, there).

[eloquence]

@ninavizz No, the "Learn More" URL will point to a page in the docs.securedrop.org hierarchy, with a fair bit of context, as you suggest, and clear & actionable instructions for performing the upgrade.

[zenmonkeykstop]

About the "read more" link - what say ye to having that go to https://securedrop.org/xenial-upgrade, and we can redirect that URL to wherever the docs end up living?

[zenmonkeykstop]

@ninavizz how about we just say "servers", plural, then, for the sake of accuracy? The flipside of simplified language is that if a tech-savvy user sees the message and it doesn't make sense, they'll be more likely to be suspicious of it for that reason.

[ninavizz]

@zenmonkeykstop Good point. Revised text, then...

Critical Security: The operating systems on your SecureDrop servers have reached their end-of-life. A manual update is urgently required to remain safe. Learn More

[zenmonkeykstop]

That implies there's 2 different OS versions in play tho. Would you accept "The operating system used by your SecureDrop servers has reached its end-of-life. A manual update is urgently required to remain safe - Learn More"?

[ninavizz]

Critical Security: The operating system used on both of your SecureDrop servers use has reached its end-of-life. A manual update is urgently required to remain safe - Learn More

^ Sounds a tad more explicit; me personally being a non-technical user, the singluar "OS" and plural "servers" felt like a type-o. I also want to be accurate tho, as I appreciate your point with technical users seeing my dumbed-down verbiage as a potential compromise!