Have a look at https://openappstack.net/ for a method to bootstrap the launching of a cluster of self-hosted interlinked productivity tools (RocketChat, NextCloud, OnlyOffice) with centralised user management. Neil
On Thu, 25 Jun 2020 at 06:00, Julian Oliver <[email protected]> wrote: > In Extinction Rebellion we increasingly use a self-hosted deployment of > Cryptpad, for simple click-and-go cloud-like document editing and storage, > encrypted end-to-end. Here's the developer's own deployment: > > - https://cryptpad.fr > > Cryptpad however doesn't offer a complete replacement for something like > Nextcloud, which allows for the upload of diverse content/mimetypes (not > just > documents), with click-to-view for video and PDF documents. Nextcloud does > offer > an encryption addon now that is quite interesting, for full client-side > E2EE: > > - https://nextcloud.com/encryption/ > > I think Nextcloud on an AES-XTS 512bit encrypted filesystem, on a > sufficiently > capable dedicated community-owned host/server, and optionally with that > same > client-side E2EE, is a great solution and is working well for the activist > communities I support. Files and folders can be shared as public links as > desired, with optional password protection. > > For a further degree of security make it solely available over VPN > (Wireguard or > OpenVPN, on the same host) with your serverside firewall (ufw, iptables, > etc), > passwords in an offline encrypted wallet (KeePass, KeePassXC, etc), > TLSv1.2 and > 1.3 only. Consider containerisation for isolation from the underlying > filesystem, etc. You may also consider CoLo and using epoxy resin to glue > the > RAM into the slot to mitigate the key-theft from RAM (physical) vector. > > Globally warm regards, > > Julian > > ..on Wed, Jun 24, 2020 at 07:20:46PM -0700, Marc Sunet wrote: > > I'd be interested in learning more about that setup. > > > > Something else you could do is to encrypt your files before syncing them > > with your cloud of choice. But then we're also complicating the > > situation beyond what an average person would be able to handle. > > > > /> The crux of it is a lot of systems, like nest cameras, sacrifice > > security for simplicity for end users by sticking cloud in the middle to > > avoid dealing with VPNs or port forwarding, etc./ > > > > That's a nice way of putting it :) Those guys have in the past shipped > > cameras with default passwords, for example, which is sacrificing > > security for simplicity well beyond what is required. You could, for > > example, have the user go through a one-time setup that creates a random > > key with which the video is encrypted. Of course, that would mean the > > company would no longer have access to the video streams anymore and put > > and end to their surveillance economy, which is probably what they were > > after to begin with (I can imagine these companies harvesting hours and > > hours of video to train face recognition software and engage in other > > such very ethical endeavors.) > > > > On 6/20/20 11:45 AM, Yosem Companys wrote: > > > [email protected] wrote: > > > > > > In my opinion, there is no such thing as a secure cloud. This is > > > because whatever is on the other end of the connection as well as > > > what might lie in between is unknown. > > > > > > > > > > > > In a best case scenario where you have an encrypted, secure > > > connection to a cloud system, it is unknown how many people have > > > access to that system, whether or not it has been breached, etc. > > > > > > > > > > > > Additionally, since it is a shared system with thousands or even > > > millions of other users, each of those users is a potential vector > > > for breach or other data loss/access. > > > > > > > > > > > > As such, we engineer all our systems to be on networks w control > > > and access them by vpn from offsite. This ranges from such simple > > > things as surveillance video or access control systems to storage > > > and other systems. > > > > > > > > > > > > Depending on the type of system, they are either at a client's > > > site and accessed by the client from external places by direct or > > > VPN access. (systems w build for clients) > > > > > > > > > > > > Or with our own systems they are on our sites and accessed either > > > directly or via VPN. > > > > > > > > > > > > If you were setting up something for shared file access, I would > > > put it on a server you own at a site whose network you control and > > > then make it accessible to user by putting it in either of the > > > following places: > > > > > > > > > > > > 1) A DMZ with port forwarded access (good for things like web > > > developers, etc); or, > > > > > > 2) The main LAN or a sub-LAN and accessible by VPN from outside. > > > > > > > > > > > > The crux of it is a lot of systems, like nest cameras, sacrifice > > > security for simplicity for end users by sticking cloud in the > > > middle to avoid dealing with VPNs or port forwarding, etc. > > > > > > > > > > > > That ease of initial setup compromises the level of security long > > > term, so we never do it. > > > > > > > > > > > > Is it a bit more hassle? yes. However, we've never had a breach > > > in 3 decades. > > > > > > > > > > > > If anyone on the list needs help setting up something like this I > > > can help. It's really easy once you know how. > > > > > > > > > > > > I've actually been thinking about developing a "ZeroCloud" > > > certification and offering it to products with no middle component > > > as such - a simmering idea at present. > > > > > > > > > > > > On Sat, Jun 20, 2020 6:24 PM, fuzzyTew [email protected] > > > <mailto:[email protected]> wrote: > > > > > > git-annex assistant is a gui for git-annex which automates file > > > syncing using a git repository to store hashes and locations and > > > history of those things changing. > > > https://git-annex.branchable.com/ . It's written in Haskell. I > > > use it manually on the command line which works well enough; I > > > don't use the daemon or gui but they exist. > > > > > > On Sat, Jun 20, 2020, 1:34 PM Yosem Companys > > > <[email protected] > > > <mailto:[email protected]>> wrote: > > > > > > That is the rub, isn't it? > > > > > > Thanks for the links, Marc! > > > > > > > > > > > > On Sat, Jun 20, 2020 5:11 PM, Marc Sunet [email protected] > > > <mailto:[email protected]> wrote: > > > > > > I do not have experience with this, but my go-to for these > > > kinds of questions is often privacytools.io > > > <http://privacytools.io>: > > > > > > https://www.privacytools.io/providers/cloud-storage/ > > > > > > Currently the only one listed there is Nextcloud (ignore > > > Keybase, sold to Zoom): > > > > > > https://nextcloud.com/providers/ > > > > > > You can self-host or rent storage. Based in Germany, > > > GDPR-compliant and all. At the end of the day you're > > > putting your files in someone else's servers though. > > > > > > Marc > > > > > > On 6/20/20 10:00 AM, Yosem Companys wrote: > > >> I am especially interested in secure alternatives to > > >> Google Drive that are both secure and convenient and in > > >> your experience with these tools. > > >> > > >> Thank you, > > >> Yosem > > >> upload image > > >> Yosem Companys > > >> President and CEO > > >> Techlantis > > >> M: (650) 796-1205 > > >> A: 2225 East Bayshore Road, Suite 200, Palo Alto, CA > 94303 > > >> W: www.techlantis.com > > >> < > https://links91.mixmaxusercontent.com/5e196044087550002eab97f3/l/hDocLS2q2TACIvzCZ?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false > >E: [email protected] > > >> < > https://links93.mixmaxusercontent.com/5e196044087550002eab97f3/l/e1udm8hBF3C2VlXO6?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false > > > > >> > > >> facebook > > >> < > https://links99.mixmaxusercontent.com/5e196044087550002eab97f3/l/tc0Uk7cSRurJaoZuR?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false > >twitter > > >> < > https://links96.mixmaxusercontent.com/5e196044087550002eab97f3/l/5165ajlvujazJwVER?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false > >linkedin > > >> < > https://links93.mixmaxusercontent.com/5e196044087550002eab97f3/l/KhnRbbZdCgXpqu7XQ?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false > >instagram > > >> < > https://links92.mixmaxusercontent.com/5e196044087550002eab97f3/l/R2iYVxKGEuM3wMK1Z?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false > > > > >> > > >> To schedule an appointment with me, please visit > > >> https://calendly.com/yosem > > >> < > https://links96.mixmaxusercontent.com/5e196044087550002eab97f3/l/UviUOQK15QPwceB43?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false > >. > > >> > > >> > > >> > > >> > > > -- > > > GPG: 9C2A AF1D CC91 0A53 AB0A B6A1 C457 0E01 081F 8F91 > > > > > > https://emailselfdefense.fsf.org/ > > > > > > -- > > > Liberationtech is public & archives are searchable from any > > > major commercial search engine. Violations of list guidelines > > > will get you moderated: > > > https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, > > > change to digest mode, or change password by emailing > > > [email protected] > > > <mailto:[email protected]>. > > > > > -- > > GPG: 9C2A AF1D CC91 0A53 AB0A B6A1 C457 0E01 081F 8F91 > > > > https://emailselfdefense.fsf.org/ > > > > > > > > -- > > Liberationtech is public & archives are searchable from any major > commercial search engine. Violations of list guidelines will get you > moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, > change to digest mode, or change password by emailing > [email protected]. > > > -- > Liberationtech is public & archives are searchable from any major > commercial search engine. Violations of list guidelines will get you > moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, > change to digest mode, or change password by emailing > [email protected].
-- Liberationtech is public & archives are searchable from any major commercial search engine. Violations of list guidelines will get you moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, change to digest mode, or change password by emailing [email protected].
