The Year in CDR Tech

This year was difficult in so many ways, for so many people. We at CDR are grateful that during this hard time we were able to continue to serve our core communities by fielding requests for digital security assistance, providing crucial information about staying safe online, and building upon and improving CDR Link, our flagship helpdesk platform.

We’ve made great progress with CDR tech projects in the last 12 months. The Waterbear project – enabling dis- and misinformation data researchers to gather, aggregate, and analyze evidence of online disinformation campaigns – was used by a coalition of dozens of U.S. civil society organizations during the course of the 2020 U.S. elections. Work begins in earnest on the Leafcutter project – a dashboard of regional and global digital security data – in early 2021. And of course, CDR Link itself is being adopted by more and more responders seeking an integrated, flexible, secure, and privacy-protecting helpdesk platform.

See below for details on the work we’ve done in 2020 and what we’re looking forward to in 2021.

After deciding to build CDR Link on top of the open source Zammad platform, we immediately embarked on building an extension to enable the submission of tickets and responses via Signal. This extension, called Sigarillo, laid the foundation of a lot of our future work, including QuePasa, our WhatsApp extension and now Grabadora, an extension enabling voicemail attachments as tickets.

The most recent release of CDR Link (2020.12.1) includes updates for Sigarillo and the introduction of Grabadora. Sigarillo (and soon, QuePasa) can now handle multiple attachments, and all three extensions will be updated to use the new Amigo framework for building extensions (see below), making them more stable, more unified in their structure, and easier to maintain and administer.

We’ve just begun work on a new extension adding PGP encryption to CDR Link’s email channel, offering community members another secure option for creating tickets. We expect the PGP extension to go live in mid-2021. We’ll also be transitioning our core instances to a new setup that takes advantage of automation tools and, when possible, uses Cloudflare Access and Google OAuth to add multiple layers of protection to the platform.

A year ago we were just getting started on what became the Waterbear project, a platform that helps researchers crowdsource and analyze evidence of online mis- and disinformation campaigns. Using CDR Link as a foundation, we built a robust input form, customizable for any taxonomy structure and unique data submission needs, that researchers and trusted sources can use to submit screenshots, links, and anecdotal evidence. That form pipes into CDR Link, where it can be further classified and organized, then it’s sent on to another tool for final review before being added to a core dataset for analysis.

This platform, first built to accommodate the needs of dozens of U.S. civil society organizations seeking to combat the effects of disinformation in the runup to the 2020 election, is now being deployed in Europe and beyond. If you would like to hear more about Waterbear or are interested in seeing a demo, please contact us at [email protected].

Development of the Leafcutter project, first conceived during the spring of 2019, is now underway. Leafcutter is similar to Waterbear in that it builds on CDR Link to provide inputs and analysis tools that help trusted researchers and analysts create a core dataset. In this case, the dataset comes from CDR Link tickets generated by partners running regional digital security helpdesks. Leafcutter will aggregate data from these tickets – detailing types of attacks, location, time, region, and more – and make that data accessible to trusted rapid responders and analysts via the the MISP platform and an easy-to-use dashboard (likely using Shiny). The end result will help regional helpdesk teams respond to digital attacks and implement preventative measures more efficiently and with greater insight.

As CDR’s tech projects have been adopted by more users, the need for documentation has grown. That’s why, in 2020, we built an in-depth documentation site featuring guides on setting up and using CDR Link and Waterbear, our Privacy Policy, and the End-User License Agreement for CDR Link. This resource is a big step toward making CDR tech projects more accessible to current and future users, establishing CDR Link, Waterbear, and Leafcutter as community resources for years to come.

As we noted above, the core of CDR Link is built upon the open-source project Zammad. Since the Zammad platform is so central to our work at CDR and the work of our partners, it’s essential that we verify the integrity and security of the code. With the support of Open Technology Fund our partners at Guardian Project put the platform through a detailed security audit. The results were released and many of our recommendations were incorporated into Zammad’s 3.3.0 release.

A lot of the improvements we’ve made to CDR Link over the last 12 months are “under the hood,” meaning that while users may not initially see them, they’ve improved the usability of the platform and enabled us to quickly deploy it and maintain it for communities in need. These improvements include:

• New monitoring and incident response processes. We’re using Prometheus, Grafana, and VictorOps to monitor our systems 24/7, complete with a rolling “on call” schedule and a process for mitigating incidents and responding to users quickly. We’ve also built systems that are much better at detecting downtime and give us a better overall awareness of platform uptime and health. These improvements help us ensure that our users can rely on our services to be up and working when they need them.
• Amigo, a framework for building tiny web apps. Every time we build an extension to Zammad, such as Sigarillo, or other parts of the Waterbear system, we create a small application to control and administer the core features. In the case of Sigarillo, that’s the Signal numbers, for Grabadora it is the Twilio voice lines. Due to different team member preferences and evolving requirements, we’ve built these applications from scratch, wasting valuable time and energy. Amigo brings order and efficiency to this process. It is an opinionated “micro framework” for building back-office web applications. Everything you need to build your app is there and ready to go: user management, authentication, database access, logging, monitoring. Just add your core business logic and head to production. Amigo provides a standard tech stack our developers can excel in, and it streamlines our development of Zammad extensions and makes them more reliable once deployed.
• Better hosting automation. Over the past year, thanks in large part to the focus and resources of the Waterbear project, we’ve begun hosting core instances on Amazon Web Services (AWS). This allows us to improve security and reliability. AWS offers security features it’s difficult to find elsewhere, and at the same time allows us to use automation to deploy and maintain our services. Automation enables our operations team to deploy faster and be more flexible in delivering new set-ups. This moves us in the direction of a “Software as a Service” offering we’ve been aiming toward since the start.

The work we’ve done both “under the hood” and in more recognizable ways points to an exciting 2021 for the project and CDR as an organization. We’re proud of how far CDR Link has come, and we’re looking forward to making it available to more communities, in more ways, in 2021.

Finally: A big, big thank you to our partners and friends at Guardian Project and Okthanks, who work with CDR to develop, deploy, design, and maintain all of this work. We could never do it without them.

And a big thanks to our community who helped us make it through 2020. We can’t wait to toss out 2020 and ring in a new, better year.