Consider removing the MAT toolkit from SecureDrop

[runasand]

The /lookup page on SecureDrop 0.3 has a checkbox that says "Attempt to remove file metadata," but no text that explains what this means and what checking the box will do.

[dolanjs]

I think this option should be removed completely from the source interface. I think it provides a false sense of security to the source about what it can and can not do. MAT does not support all file formats and in cases like encrypted PDF it has various levels of success in achieving what it says. There is also the point that the meta data info is valuable to the journalist. This information should be removed prior to being transferred from the airgapped host where a combination of MAT, printing and scanning plus one off measures can be documented and put in place.

[dolanjs]

MAT toolkit also has a few dependencies for both source/document interfaces that would be removed to help reduce the attack surface. @garrettr think I covered everything from our conversation about this.

MAT dependencies:
hachoir-core==1.3.3 hachoir-parser==1.3.4 mutagen==1.22 pdfrw==0.1

[runasand]

I am all for removing bits and pieces that only provide a false sense of security. Ideally, SecureDrop should present the source with a page that briefly explains why the application will not attempt to remove this information automatically, why it might be important for the journalist, and what the source can do should he/she decide to remove it before uploading the document.

[diracdeltas]

BTW, i reported and have a pull req open for this: #456 #455

[runasand]

Thanks, @diracdeltas. I updated the title of this issue to reflect the discussion we have had so far, namely whether to remove the MAT toolkit from SecureDrop completely.

[diracdeltas]

We have some other issues with MAT:

• pip doesn't check the package signature (though we do install it from the boum.org website over HTTPS)
• the 0.5.x MAT releases are provided as .xz files, which pip can't auto-decompress [1].
• it's not a standard pip package [1], so pip-tools can't auto-detect when an update is available.

[1] discussion at https://labs.riseup.net/code/issues/7386

[garrettr]

I agree that there are so many outstanding issues with MAT that it should be deferred to a later release. Additionally, I don't think this is the kind of decision that sources should be making. If a source is sufficiently saavy as to understand what metadata is, they can remove it themselves. Otherwise, this is the journalist's responsibility to handle correctly. We should address this issue by creating good tools for journalists to extract, analyze, and clean metadata.

[diracdeltas]

@garrettr and I decided it's best to remove MAT in 0.3. I'll take this task.