Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/28/2013 03:35 PM, anonymous2...@nym.hush.com wrote: Thanks, yes I also have seen young and old people use linux but I've also seen hundreds of people trained to use it and as soonas they have to update a package in Linux, get confused and reach for a windows machine. Oh. Just like the Windows users who are being confronted with Hey - update me! pop-ups for Adobe Flash and Java and ignoring them because they think they're going to wreck their workstations? It's been a fun week for that in the salt mines. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ I'm not the Eater of Souls, I'm just his administrative assistant. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlEw3YoACgkQO9j/K4B7F8FxDgCeIV/8GFqlNCe9NuSUmRaDao1/ 2gUAoK2d+Ww8yzHb8x+q8KfcMhVbC0sx =N54V -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO
Thanks, a very productive mail. Please keep this subject on topic. On Fri, 01 Mar 2013 16:55:53 + The Doctor dr...@virtadpt.net wrote: On 02/28/2013 03:35 PM, anonymous2...@nym.hush.com wrote: Thanks, yes I also have seen young and old people use linux but I've also seen hundreds of people trained to use it and as soonas they have to update a package in Linux, get confused and reach for a windows machine. Oh. Just like the Windows users who are being confronted with Hey - update me! pop-ups for Adobe Flash and Java and ignoring them because they think they're going to wreck their workstations? It's been a fun week for that in the salt mines. -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ I'm not the Eater of Souls, I'm just his administrative assistant. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO
On Thu, Feb 28, 2013 at 08:35:14PM +, anonymous2...@nym.hush.com wrote: Most of what I have gotten so far are lectures and rhetoric. I'm not sure what else you expected. (Really, I'm not.) You didn't explain what you're trying to do. You showed up with a list of middling-to-hideously-poor technology choices looking not for design review or critiques, but vetting of your choices even though you didn't provide any rationale for them. And yet you got some very sound advice, like Don't use Windows. You just don't happen to like it. Okay, fine. Then don't take it. Do whatever you want: you don't need our individual or collective approval. (Although y'know...if I said I'm gonna do X here and several people told me that was a bad idea, that would give me serious reason to back off and reconsider at length.) If you actually want serious advice, then take a serious approach: explain *in detail* what you're trying to build. Infrastructure? Desktops? Laptops? Portables? What are the functions you're trying to provide? What's your budget? What are your personnel resources? What is the scale of deployment? What's the scope? What's the threat model look like? And so on. ---rsk -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO
On 28 February 2013 07:39, anonymous2...@nym.hush.com wrote: Hi, We are a human rights NGO that is looking to invest in the best possible level of network security (protection from high-level cyber-security threats, changing circumvention/proxy to protect IP address etc, encryption on endpoints and server, IDS/Physical and Software Firewall/File Integrity Monitoring, Mobile Device Management, Honeypots) we can get for a our internal network. I was wondering if people would critique the following network, add comments, suggestions and alternative methods/pieces of software. (Perhaps if it goes well we could make a short paper out of it, for others to use.) -Windows 2012 Server -VMWare virtual machines running Win 8 for remote access Windows doesn't scare me, full remote access scares me. (I'm amazed at how many people are saying X is insecure with no explanations how or why an alternative is more secure.) Obviously you'll need something for remote workers, but see the next section... -Industry standard hardening and lock down of all OS systems. Industry 'Standard' hardening isn't particularly good because 'Standard' is 'Standard' and 'Standard' is also hacked over and over again. Upgrading your RDP authentication level is a good idea and 'Standard' - but what you want most of all is separation of privilege. I don't mean Bob the sysadmin is the only person who can administer the mailserver I mean Bob the sysadmin is the only person who can administer the mailserver, and he can only do it from a separate computer that's on a separate airgapped network and he doesn't use USB keys. Airgapping brings thoughts of crazy military-levels of paranoia - but it's not all that difficult and it's getting more and more important. Get a couple cheapish laptops, a separate consumer-level broadband connection, and run red cables plus blue to a few people's desks. Think about it terms of compartmentalisation, both airgapped and non-airgapped-but-separate-Domains/VLANs/Authorisation contexts. Draw out your network, and then fill an entire section with Red - that's what the attacker controls. How does he move to another section? What data does he get? Brainstorm this part heavily, consider putting it up on a permanent whiteboard and referring to it every time someone comes in and needs access to X group's fileserver, or what-have-you. -Constantly changing proxies I have no idea what you intend to accomplish with this. Performing *more* logging of your employees, or not disabling WPAD sounds like the opposite of what you'd want. (And a note on the WPAD item: disable IPv6 too.) -Sophos Enterprise Protection, Encryption and Patch management -Sophos mobile management Uh, I guess. I guess I shouldn't disparage something I've never reviewed and haven't worked with... But my opinion of Enterprise Protection products isn't too high until I've seen an independent security firm see how secure the product is and how much it attack surface it adds. -Encrypted voice calls for mobile and a more secure alternative to Skype via Silent Circle. So I guess that's RedPhone? -TrueCrypt on all drives - set to close without use after a specific time Bitlocker is a fine alternative, and probably easier to manage/query via Group Policy. -False and poison pill files -Honeypots Ooookay. This isn't a bad idea, but it's pretty damn complicated to set up - you're moving more and more towards something that requires a 24/7 SOC (Security Operations Center) and further away from Architecting a secure network. -Snort IDS -Tripwire And someone full time (or 2 people, really probably a team of folks operating 24/7) to monitor these? Cause this stuff doesn't help you if no one's looking at it. -Easily controlled kill commands ... Huh? -No wifi Good luck with that. I guess no one's going to have any productive meetings or use any MacBook airs, tablets, or phones for work purposes. (Unlikely.) Having everyone use the cell towers isn't a great idea either. This sounds like you haven't done a requirements gathering phase with your users. -tom -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO
Thanks excellent advice - much to think about. On Thu, 28 Feb 2013 14:09:39 + Tom Ritter t...@ritter.vg wrote: On 28 February 2013 07:39, anonymous2...@nym.hush.com wrote: Hi, We are a human rights NGO that is looking to invest in the best possible level of network security (protection from high-level cyber-security threats, changing circumvention/proxy to protect IP address etc, encryption on endpoints and server, IDS/Physical and Software Firewall/File Integrity Monitoring, Mobile Device Management, Honeypots) we can get for a our internal network. I was wondering if people would critique the following network, add comments, suggestions and alternative methods/pieces of software. (Perhaps if it goes well we could make a short paper out of it, for others to use.) -Windows 2012 Server -VMWare virtual machines running Win 8 for remote access Windows doesn't scare me, full remote access scares me. (I'm amazed at how many people are saying X is insecure with no explanations how or why an alternative is more secure.) Obviously you'll need something for remote workers, but see the next section... -Industry standard hardening and lock down of all OS systems. Industry 'Standard' hardening isn't particularly good because 'Standard' is 'Standard' and 'Standard' is also hacked over and over again. Upgrading your RDP authentication level is a good idea and 'Standard' - but what you want most of all is separation of privilege. I don't mean Bob the sysadmin is the only person who can administer the mailserver I mean Bob the sysadmin is the only person who can administer the mailserver, and he can only do it from a separate computer that's on a separate airgapped network and he doesn't use USB keys. Airgapping brings thoughts of crazy military-levels of paranoia - but it's not all that difficult and it's getting more and more important. Get a couple cheapish laptops, a separate consumer-level broadband connection, and run red cables plus blue to a few people's desks. Think about it terms of compartmentalisation, both airgapped and non-airgapped-but-separate-Domains/VLANs/Authorisation contexts. Draw out your network, and then fill an entire section with Red - that's what the attacker controls. How does he move to another section? What data does he get? Brainstorm this part heavily, consider putting it up on a permanent whiteboard and referring to it every time someone comes in and needs access to X group's fileserver, or what-have- you. -Constantly changing proxies I have no idea what you intend to accomplish with this. Performing *more* logging of your employees, or not disabling WPAD sounds like the opposite of what you'd want. (And a note on the WPAD item: disable IPv6 too.) -Sophos Enterprise Protection, Encryption and Patch management -Sophos mobile management Uh, I guess. I guess I shouldn't disparage something I've never reviewed and haven't worked with... But my opinion of Enterprise Protection products isn't too high until I've seen an independent security firm see how secure the product is and how much it attack surface it adds. -Encrypted voice calls for mobile and a more secure alternative to Skype via Silent Circle. So I guess that's RedPhone? -TrueCrypt on all drives - set to close without use after a specific time Bitlocker is a fine alternative, and probably easier to manage/query via Group Policy. -False and poison pill files -Honeypots Ooookay. This isn't a bad idea, but it's pretty damn complicated to set up - you're moving more and more towards something that requires a 24/7 SOC (Security Operations Center) and further away from Architecting a secure network. -Snort IDS -Tripwire And someone full time (or 2 people, really probably a team of folks operating 24/7) to monitor these? Cause this stuff doesn't help you if no one's looking at it. -Easily controlled kill commands ... Huh? -No wifi Good luck with that. I guess no one's going to have any productive meetings or use any MacBook airs, tablets, or phones for work purposes. (Unlikely.) Having everyone use the cell towers isn't a great idea either. This sounds like you haven't done a requirements gathering phase with your users. -tom -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO
drone_guinness1 borgnet: ...end users using Linux :-D (good one) so you say that android users aren't end users? -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO
Speaking of GUNE/Linux operating systems, I am personally a big fan of LiveCDs such as Tails (https://tails.boum.org/), where you don't need to install any software on a computer and loose all data (almost all data) on a reboot. Journalists, activists in high risk countries can have multiple copies of a LiveCD at home, work or school. Instead of carrying their activities in their laptops, they can load the CD and perform their tasks with little or no trace. --SiNA Julian Oliver: ..on Thu, Feb 28, 2013 at 03:00:11PM +, anonymous2...@nym.hush.com wrote: If you think you can get a board member or a finance person in an NGO to use Linux then you are detached from the reality of how most NGO's work. The use will simply ignore it. Really? Have you tried a recent desktop Linux distribution? What about Android? While not a fan of Ubuntu myself, I've seen both an 11yr old girl and a 70yr old retired farmer installing packages and watching videos, making documents in Ubuntu. One quite often hears many people find it far less confusing than Windows. Linux is just a kernel. GNU tools, applications and the UI are what make it a Desktop OS - and they vary in usability. Anyway, to be a little more constructive on the topic, check out Tactical Tech's NGO-in-a-box. All built on free and open software: Everyday tools for NGOs Base NGO in-a-box is a collection of tools for the day-to-day running of small to medium sized NGOs. Produced by Tactical Tech in association with WomensNet, this toolkit aims to make it easier to set up base, find the right software and learn how to use it. Targeted primarily at NGOs and advocacy organisations in developing countries the Box contains a set of peer-reviewed Free and Open Source Software tools, with associated guides and tutorials. http://archive.tacticaltech.org/ngo-in-a-box-base.html Testimonials: http://archive.tacticaltech.org/whatpeoplesayaboutus.html Cheers, Julian On Thu, 28 Feb 2013 14:50:08 + Andreas Bader noergelpi...@hotmail.de wrote: anonymous2...@nym.hush.com: Hi, We are a human rights NGO that is looking to invest in the best possible level of network security (protection from high-level cyber-security threats, changing circumvention/proxy to protect IP address etc, encryption on endpoints and server, IDS/Physical and Software Firewall/File Integrity Monitoring, Mobile Device Management, Honeypots) we can get for a our internal network. I was wondering if people would critique the following network, add comments, suggestions and alternative methods/pieces of software. (Perhaps if it goes well we could make a short paper out of it, for others to use.) I also work for a human rights NGO. First don't use an internal network, you need a decentral communication and information network. Second, Windows is not easier than Linux, compare Windows 8 and Debian with Gnome 2. I would probably use a SEL Kernel like in SL 6, when possible a Live-System. Forget all the closed-source software. Now the Software: -Firefox with Torbutton -Thunderbird with Torbirdy and OpenPGP -Vidalia Encrypt your systems with LUKS, its also FDE. Truecrypt doesn't work with Linux as FDE. You can possibly try Liberte Linux, someone on this list presented it to us, its made for secure communication. And if you are unsure about Linux and Windows in High Level Security Systems, then you should probably go and get a real Sysadmin/Security-Fanatic. How good are you with IT-Sec? I don't want to offend you, but you sound like a beginner. Andreas (P.S.: Skype? You can't be serious. ICQ and Facebookchat is more secure. Use IRC). -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- “Be the change you want to see in the world.” Gandhi XMPP: i...@jabber.ccc.de a5dae15f45a37e9768f6deae7b54807fc4942ec9 twitter.com/wwwiretap -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO
Thanks, yes I also have seen young and old people use linux but I've also seen hundreds of people trained to use it and as soonas they have to update a package in Linux, get confused and reach for a windows machine. The NGO in a box stuff is ok but not what I am asking about at all, I'm speaking about a network for a Western NGO with significant operations and exposure from high-level threats and on the ground in 3rd world countries. Most of what I have gotten so far are lectures and rhetoric. On Thu, Feb 28 at 06:26 PM (UTC), Julian Oliver jul...@julianoliver.com wrote: ..on Thu, Feb 28, 2013 at 03:00:11PM +, anonymous2...@nym.hush.com wrote: If you think you can get a board member or a finance person in an NGO to use Linux then you are detached from the reality of how most NGO's work. The use will simply ignore it. Really? Have you tried a recent desktop Linux distribution? What about Android? While not a fan of Ubuntu myself, I've seen both an 11yr old girl and a 70yr old retired farmer installing packages and watching videos, making documents in Ubuntu. One quite often hears many people find it far less confusing than Windows. Linux is just a kernel. GNU tools, applications and the UI are what make it a Desktop OS - and they vary in usability. Anyway, to be a little more constructive on the topic, check out Tactical Tech's NGO-in-a-box. All built on free and open software: Everyday tools for NGOs Base NGO in-a-box is a collection of tools for the day-to-day running of small to medium sized NGOs. Produced by Tactical Tech in association with WomensNet, this toolkit aims to make it easier to set up base, find the right software and learn how to use it. Targeted primarily at NGOs and advocacy organisations in developing countries the Box contains a set of peer-reviewed Free and Open Source Software tools, with associated guides and tutorials. http://archive.tacticaltech.org/ngo-in-a-box-base.html Testimonials: http://archive.tacticaltech.org/whatpeoplesayaboutus.html Cheers, Julian On Thu, 28 Feb 2013 14:50:08 + Andreas Bader noergelpi...@hotmail.de wrote: anonymous2...@nym.hush.com: Hi, We are a human rights NGO that is looking to invest in the best possible level of network security (protection from high-level cyber-security threats, changing circumvention/proxy to protect IP address etc, encryption on endpoints and server, IDS/Physical and Software Firewall/File Integrity Monitoring, Mobile Device Management, Honeypots) we can get for a our internal network. I was wondering if people would critique the following network, add comments, suggestions and alternative methods/pieces of software. (Perhaps if it goes well we could make a short paper out of it, for others to use.) I also work for a human rights NGO. First don't use an internal network, you need a decentral communication and information network. Second, Windows is not easier than Linux, compare Windows 8 and Debian with Gnome 2. I would probably use a SEL Kernel like in SL 6, when possible a Live-System. Forget all the closed-source software. Now the Software: -Firefox with Torbutton -Thunderbird with Torbirdy and OpenPGP -Vidalia Encrypt your systems with LUKS, its also FDE. Truecrypt doesn't work with Linux as FDE. You can possibly try Liberte Linux, someone on this list presented it to us, its made for secure communication. And if you are unsure about Linux and Windows in High Level Security Systems, then you should probably go and get a real Sysadmin/Security-Fanatic. How good are you with IT-Sec? I don't want to offend you, but you sound like a beginner. Andreas (P.S.: Skype? You can't be serious. ICQ and Facebookchat is more secure. Use IRC). -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Julian Oliver http://julianoliver.com http://criticalengineering.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO
anonymous2...@nym.hush.com: Thanks, yes I also have seen young and old people use linux but I've also seen hundreds of people trained to use it and as soonas they have to update a package in Linux, get confused and reach for a windows machine. The NGO in a box stuff is ok but not what I am asking about at all, I'm speaking about a network for a Western NGO with significant operations and exposure from high-level threats and on the ground in 3rd world countries. In that case you should contact a microsoft advoser, he will help you to build your secure infrastructure basing on MS. If you ask the people here what they would use then you get the answers you get right now. You sound like you want security in a corporate structure. Andreas -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech