[wftglf]

Hey, author of the post here. I've had quite a bit of feedback on the post from some people with a lot more Qubes experience than me - there are definitely some issues with it - e.g. you can install software from non-default repos in Qubes without setting a netvm for the template. We'll publish an edited version soon in case anyone else stumbles across it.

"Qubes is awesome, but it's no substitute for an air gap." - agreed - for some stories an actually air-gapped machine is essential - if nothing else just because it's very easy when messing round in Qubes manager to add a netvm to the wrong Qube.

However, of the stories we receive coming through SecureDrop system, many don't have the risk profile of something like Snowden - e.g. a local politics story that GCHQ aren't likely to be too fussed about. For these cases, it's helpful to have an environment which is secure, but has a browser available for e.g accessing our CMS or doing research.

[dr_kiszonka]

Would you have two different systems, one for low risk and another for high risk messages? How would triage and enforcement work?

What it sounds like is that you are proposing a system that is less secure compared to what is already in place and this is what people are protesting against.

[Dalewyn]

Wow.

Has journalism has fallen so low that sensitive information is handled with wanton abandon just for the sake of convenience?

Assuming what is said here is true, nobody should be providing sensitive information to The Guardian if for no other reason than to guarantee their own safety.

[wftglf]

I wouldn't say it's wanton abandon - here is a deeper explanation of the threat model of SecureDrop workstation https://github.com/freedomofpress/securedrop-workstation?tab...

[karma_pharmer]

This sounds like you abandoning any hope of ever producing the level of journalism you did in 2013.

That is disappointing.