Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[Andreas Bader]

anonymous2...@nym.hush.com:
> Thanks, yes I also have seen young and old people use linux but I've also 
> seen hundreds of people trained to use it and as soonas they have to update a 
> package in Linux, get confused and reach for a windows machine. The NGO in a 
> box stuff is ok but not what I am asking about at all, I'm speaking about a 
> network for a Western NGO with significant operations and exposure from 
> high-level threats and on the ground in 3rd world countries. 

In that case you should contact a microsoft advoser, he will help you to
build your secure infrastructure basing on MS.
If you ask the people here what they would use then you get the answers
you get right now.
You sound like you want security in a corporate structure.

Andreas
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Looking for collaborators for free-range voting project

[Michael Allan]

Ruben and Rich,

Ruben Bloemgarten said:
> It seems I might have jumped the gun, assuming the discussion was
> about voting systems for use in political elections. Disclosing all
> voter data, including voter identity would solve much if not all
> issues regarding verifiability, however would that not also restrict
> the use of such a system to topics that have no political or social
> consequences ?  Otherwise it seems that the removal of
> secrecy/anonymity would be extremely problematic if not out-right
> dangerous.

Rich Kulawiec said:
> I'm with Ruben on this one.  There are serious problems (in many
> cases) with disclosure of how someone voted; there are even problems
> disclosing *if* they voted or possibly if they were *eligible* to
> vote, even if that disclosure only (putatively) is done to the
> voter.

I guess the main concern is coercion and vote buying.  I've discussed
this with others and we foresee some important mitigations.  (These
aren't obvious BAM, and it took us some time to see them.)  *

  (a) Continuous primary voting: Vote sellers can shift their votes
  after taking the money, perhaps re-selling them to other buyers.
  This makes vote buying a poor investment.

  (b) Full disclosure: Buyers, sellers and systematic pressure by
  others (employers, unions, churches, and so forth) are
  detectable by statistical pattern analysis of vote shifts and
  dispositions in correlation with facts (known buyers and
  sellers, workforce structure and dynamics, and so forth).

  (c) Separation of primary from decision systems: Public and private
  voting may be interrelated through separate electoral systems: a
  public vote in the run-up (primary system) culminates in a
  private vote on election day (decision system).  The final
  private vote (secret ballot) filters out instances of individual
  vote buying and coercion.

  A similar strategy may be applied to normative decisions.  Here
  the decisive vote is often not private, but instead restricted
  to a small number of people, such as elected assembly members.
  Concerns of coercion and vote buying are thus *also* restricted
  to that smaller group of people, who may therefore be closely
  monitored and scrutinized.

These should at least prevent skewing of decisions and other serious
harm.  Or have we overlooked something?

I used to point to the harm caused by our faith in the secret ballot,
but now I feel it's the wrong approach.  Whatever we suffer on account
of our political arrangements (we in the West, who have so much else
to be thankful for) is our own fault.  We have the wherewithal to fix
things, and could even proceed a little faster if we wished.


  * From this footnote, which also links to discussions
http://zelea.com/project/votorola/d/theory.xht#fn-2

Mike
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Additional References on Hacking as Activism, for Social Change, for Empowerment

[Yosem Companys]

From: Kishonna Gray 

Hello all! I am looking for additional references similar to Gabriella's
work here (awesome book btw).  A student is looking for information on
hacking as activism, hacking for social change, hacking for empowerment,
etc.

Any and all citations are welcome!

Thanks
Kishonna

*Kishonna L. Gray, PhD*
*Assistant Professor*
School of Justice Studies
Eastern Kentucky University
Email: kishonna.g...@eku.edu
Office: Stratton 313
Phone: 859-622-8880

*Recent scholarship on Xbox Live: *

Gray, K.L. (2013) Diffusion of Innovation Theory and Xbox Live: Examining
Minority Gamers Responses and Rate of Adoption to Changes in Xbox
Live. *Bulletin
of Science, Technology, & Society*, 32(6): 463-470.

Gray, K.L. (2012) Deviant Bodies, Stigmatized Identities, and Racist Acts:
Examining the Experiences of African-American Gamers in Xbox Live.  *New
Review of Hypermedia and Multimedia, *18(4): 261-276.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Is cryptography becoming less important?

[Kyle Maxwell]

On Thu, Feb 28, 2013 at 5:30 PM, Richard Brooks  wrote:
>> So organizations get compromised by well-meaning users who click on a
>> link in an email or slip up and use an insecure connection, and while
>> we can ameloriate that to a certain extent with code, we really need
>> to think more about how to make it easier for users to make the
>> "right" choices versus the "wrong" choices.
>>
>
> Too often this is phrased as "users should know better." But,
> to be honest, I think most anyone could be fooled by a well
> planned spear-phishing attack. Last year it got RSA security,
> ORNL, Lockheed-Martin, and the entire state of South Carolina.

State-affiliated actors use this frequently, yes, as I'm sure many on
this list can attest. But if we make it more difficult for users to do
the "wrong" thing, then the attackers have a more difficult time.
Hopefully we eventually change the cost/benefit calculation, but
that's probably best for another separate discussion.

On topic, though, if attackers can easily convince a user to run code
through deception or similar means, then all the crypto in the world
won't matter. And I hope that the linked article missed some context,
because if Rivest et al. only realize recently that the CA PKI is
irretrievably broken, we're way behind.

-- 
Kyle Maxwell [krmaxw...@gmail.com]
http://www.xwell.org
Twitter: @kylemaxwell
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] How Copyright Works at Stanford

[Yosem Companys]

May be of interest.  Document was recently updated.  See:

http://stanford.edu/group/univ-librarian/2013_Copyright_Reminder.pdf
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Is cryptography becoming less important?

[Richard Brooks]

> So organizations get compromised by well-meaning users who click on a
> link in an email or slip up and use an insecure connection, and while
> we can ameloriate that to a certain extent with code, we really need
> to think more about how to make it easier for users to make the
> "right" choices versus the "wrong" choices.
>

Too often this is phrased as "users should know better." But,
to be honest, I think most anyone could be fooled by a well
planned spear-phishing attack. Last year it got RSA security,
ORNL, Lockheed-Martin, and the entire state of South Carolina.

The use of email in normal business practices far exceeds
what should be done, given the lack of authentication and
the ease of slipping malicious payloads into innocuous
looking URLs, PDFs, etc.
-- 
===
R. R. Brooks

Associate Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
email: r...@acm.org
web:   http://www.clemson.edu/~rrb

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[Martin Gemzell]

On Feb 28, 2013 7:40 PM,  wrote:

> Hi,
> We are a human rights NGO that is looking to invest in the best
> possible level of network security (protection from high-level
> cyber-security threats, changing circumvention/proxy to protect IP
> address etc, encryption on endpoints and server, IDS/Physical and
> Software Firewall/File Integrity Monitoring, Mobile Device
> Management, Honeypots) we can get for a our internal network. I was
> wondering if people would critique the following network, add
> comments, suggestions and alternative methods/pieces of software.
> (Perhaps if it goes well we could make a short paper out of it, for
> others to use.)
>
> -Windows 2012 Server
> -VMWare virtual machines running Win 8 for remote access
> -Industry standard hardening and lock down of all OS systems.
> -Constantly changing proxies
> -PGP email with BES
> -Cryptocard tokens
> -Sophos Enterprise Protection, Encryption and Patch management
> -Sophos mobile management
> -Encrypted voice calls for mobile and a more secure alternative to
> Skype via Silent Circle.
> -TrueCrypt on all drives - set to close without use after a
> specific time
> -Easily controlled kill commands
> -False and poison pill files
> -Snort IDS
> -Honeypots
> -Tripwire
> -Cisco Network Appliance
> -No wifi
> -Strong physical protection in a liberal country as regards human
> rights
>
> I know there are many other factors, good training, constant
> monitoring, avoiding spearfishing, penetration testing, etc but if
> possible I would please like to keep the conversation on the
> network design and software.
>
> Thanks guys.
> -Anon
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[anonymous2013]

Thanks, yes I also have seen young and old people use linux but I've also seen 
hundreds of people trained to use it and as soonas they have to update a 
package in Linux, get confused and reach for a windows machine. The NGO in a 
box stuff is ok but not what I am asking about at all, I'm speaking about a 
network for a Western NGO with significant operations and exposure from 
high-level threats and on the ground in 3rd world countries. 

Most of what I have gotten so far are lectures and rhetoric.


On Thu, Feb 28 at 06:26 PM (UTC), "Julian Oliver"  
wrote:

> ..on Thu, Feb 28, 2013 at 03:00:11PM +,
> anonymous2...@nym.hush.com wrote:
> > If you think you can get a board member or a finance person
> in an NGO to use
> > Linux then you are detached from the reality of how most
> NGO's work. The use
> > will simply ignore it.
> 
> Really? Have you tried a recent desktop Linux distribution? What
> about Android?
> While not a fan of Ubuntu myself, I've seen both an 11yr old
> girl and a 70yr old
> retired farmer installing packages and watching videos, making
> documents in
> Ubuntu. One quite often hears many people find it far less
> confusing than
> Windows.
> 
> Linux is just a kernel. GNU tools, applications and the UI are
> what make it a
> Desktop OS - and they vary in usability.
> 
> Anyway, to be a little more constructive on the topic, check out
> Tactical Tech's
> NGO-in-a-box. All built on free and open software:
> 
> "Everyday tools for NGOs Base NGO in-a-box is a collection
> of tools for the
> day-to-day running of small to medium sized NGOs. Produced by
> Tactical Tech in
> association with WomensNet, this toolkit aims to make it easier
> to set up base,
> find the right software and learn how to use it. Targeted
> primarily at NGOs and
> advocacy organisations in developing countries the Box contains
> a set of
> peer-reviewed Free and Open Source Software tools, with
> associated guides and
> tutorials."
> 
> http://archive.tacticaltech.org/ngo-in-a-box-base.html
> 
> Testimonials:
> 
> http://archive.tacticaltech.org/whatpeoplesayaboutus.html
> 
> Cheers,
> 
> Julian
> 
> > 
> > On Thu, 28 Feb 2013 14:50:08 + "Andreas
> Bader" 
> >  wrote:
> > >anonymous2...@nym.hush.com:
> > >> Hi, 
> > >> We are a human rights NGO that is looking to
> invest in the best 
> > >> possible level of network security (protection
> from high-level 
> > >> cyber-security threats, changing
> circumvention/proxy to protect 
> > >IP 
> > >> address etc, encryption on endpoints and server,
> IDS/Physical 
> > >and 
> > >> Software Firewall/File Integrity Monitoring,
> Mobile Device 
> > >> Management, Honeypots) we can get for a our
> internal network. I 
> > >was 
> > >> wondering if people would critique the following
> network, add 
> > >> comments, suggestions and alternative
> methods/pieces of 
> > >software. 
> > >> (Perhaps if it goes well we could make a short
> paper out of it, 
> > >for 
> > >> others to use.)
> > >I also work for a human rights NGO.
> > >First don't use an internal network, you need a
> decentral 
> > >communication
> > >and information network.
> > >Second, Windows is not easier than Linux, compare
> Windows 8 and 
> > >Debian
> > >with Gnome 2.
> > >I would probably use a SEL Kernel like in SL 6, when
> possible a 
> > >Live-System.
> > >Forget all the closed-source software.
> > >Now the Software:
> > >-Firefox with Torbutton
> > >-Thunderbird with Torbirdy and OpenPGP
> > >-Vidalia
> > >Encrypt your systems with LUKS, its also FDE. Truecrypt
> doesn't 
> > >work
> > >with Linux as FDE.
> > >You can possibly try Liberte Linux, someone on this
> list presented 
> > >it to
> > >us, its made for secure communication.
> > >And if you are unsure about Linux and Windows in
> "High Level 
> > >Security
> > >Systems", then you should probably go and get a
> real
> > >Sysadmin/Security-Fanatic.
> > >How good are you with IT-Sec?
> > >I don't want to offend you, but you sound like a
> beginner.
> > >
> > >Andreas
> > >
> > >(P.S.: Skype? You can't be serious. ICQ and
> Facebookchat is more 
> > >secure.
> > >Use IRC).
> > >--
> > >Too many emails? Unsubscribe, change to digest, or
> change password 
> > >by emailing moderator at compa...@stanford.edu or
> changing your 
> > >settings at 
> >
> >https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> > 
> > --
> > Too many emails? Unsubscribe, change to digest, or change
> password by emailing moderator at compa...@stanford.edu or
> changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> -- 
> Julian Oliver
> http://julianoliver.com
> http://criticalengineering.org
> --
> Too many emails? Unsubscribe, change to digest, or change
> password by emailing moderator at compa...@stanford.edu or
> changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa.

Re: [liberationtech] The Myopia of excluding censors: The tale of a self-defeating petition - Opinion - Al Jazeera English

[kseel28440]

I want to be dropped from subscription but have forgotten my password. Please 
advise.

-Original Message-
From: x z 
To: liberationtech 
Sent: Fri, Feb 8, 2013 2:17 pm
Subject: Re: [liberationtech] The Myopia of excluding censors: The tale of a 
self-defeating petition - Opinion - Al Jazeera English


Libtech,


I am an ardent supporter for that GFW petition, and I feel compelled to write 
about it *again*, in reply to Tricia Wang's article.


There are three major issues in this piece.


1. The intent of the petition is badly interpreted and exaggerated by Tricia 
even in the literal sense. Tricia claiming "This petition would deny all CNNIC 
researchers and officials the opportunity to come to the US for conferences and 
events" is appalling. The petition is for those "people who help internet 
censorship". Tricia herself argues using several paragraphs that many tasks in 
CNNIC are not censorship related!


2. A lot of people, including Tricia and many on this list, misunderstand the 
spirit of the petition. It is naive to perceive that many people, including 
many of the signatories of this petition, realistically think such a petition 
can make US government to actually adopt such an entry-denial policy. Like I 
mentioned in my previous email on this topic, this petition is a *symbolic* 
one. Its goal is to show to the world that many of Chinese netizens care, and 
it is a way to mobilize (and hopefully organize) us.


3. This article repeated again and again that engagement with China officials 
(including Fang Binxing) is beneficial. I don't disagree with this, but Tricia 
greatly overestimated such benefit. Most of China's officials, especially those 
overseeing censorship, know very well what an open society looks like. This 
knowledge *reinforces* their belief in their censorship policies, contrary to 
what Tricia may think. The present China is not Soviet Union in the cold war 
era. China's ideology system is way more robust.


Regards,


2013/2/8 Collin Anderson 


Libtech,


I appreciated the short articulation of this counterargument at the time of the 
petition being posted and this article summarizes it well. Firstly, 
unfortunately while Libtech has fostered an impression of being a private 
network, it has grown beyond that over the past three years, into a very public 
community -- at times it still often feels like a closed, personal community. I 
think we all agree that State Department employees are entailed to a right of 
an independent opinion, and the only misstep was perhaps sending from a work 
email address with an automatic signature. A brief history of the drama of 
Internet Freedom programs and China makes it clear that this is something that 
the US Government would never have the political will to adopt, much less 
endorse. We may do well to give such people the benefit of the doubt that they 
had intended to provoke conversation and reach out to the community, rather 
than encourage participation. Otherwise, a perspective may be lost.


That being said, the post and petition should have, but did not, provoked a 
legitimate discussion about incongruences in American foreign policy toward 
states that practice repression of media and Internet communications. Case in 
point, on the exact day that Tricia Wang, of whom I am a longtime fan, 
published her argument, the Department of Treasury announced the designation of 
Islamic Republic of Iran Broadcasting (IRIB), Iranian Cyber Police, 
Communications Regulatory Authority (CRA), Iran Electronics Industries (IEI) 
and Ezzatollah Zarghami, head of IRIB, for their participation in activities 
that "restrict or deny the free flow of information to or from the Iranian 
people." These listings follow previous designations by companies and persons 
responsible for the surveillance and disruption of information networks under 
American laws, such as the TRA, CISADA and GHRAVITY EO. 


I was a vocal advocate for these actions and wrote extensively on their 
justification, however, I was also left questioning whether it is morally 
justifiable that I have not spoke out with similar passion against the Bahraini 
MOI. I would ask whether Ms. Wang feels that Treasury's actions on Wednesday 
are similarly unjustifiable within her philosophical argument?


Of minor importance, I do believe that the article over-interprets the extent 
of the applicability of institutional sanctions on employees, particularly 
low-level individuals. However, the tragedy of Treasury sanctions is that they 
are specifically designed to be unclear, and so let's allow that it may chill 
interactions with said researchers.


However, more broadly. At the time of its original attention, the notion of 
travel restrictions was referred to as "coercive force" -- a label which I 
fundamentally disagree with. States and publics have a fundamental right to 
determine what activities that they directly or indirectly facilitate, such as 
through the provision of 

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[SiNA Rabbani]

Speaking of GUNE/Linux operating systems, I am personally a big fan of
LiveCDs such as Tails (https://tails.boum.org/), where you don't need to
install any software on a computer and loose all data (almost all data)
on a reboot.

Journalists, activists in high risk countries can have multiple copies
of a LiveCD at home, work or school. Instead of carrying their
activities in their laptops, they can load the CD and perform their
tasks with little or no trace.

--SiNA

Julian Oliver:
> ..on Thu, Feb 28, 2013 at 03:00:11PM +, anonymous2...@nym.hush.com wrote:
>> If you think you can get a board member or a finance person in an NGO to use
>> Linux then you are detached from the reality of how most NGO's work. The use
>> will simply ignore it.
> 
> Really? Have you tried a recent desktop Linux distribution? What about 
> Android?
> While not a fan of Ubuntu myself, I've seen both an 11yr old girl and a 70yr 
> old
> retired farmer installing packages and watching videos, making documents in
> Ubuntu. One quite often hears many people find it far less confusing than
> Windows.
> 
> Linux is just a kernel. GNU tools, applications and the UI are what make it a
> Desktop OS - and they vary in usability.
> 
> Anyway, to be a little more constructive on the topic, check out Tactical 
> Tech's
> NGO-in-a-box. All built on free and open software:
> 
> "Everyday tools for NGOs Base NGO in-a-box is a collection of tools for the
> day-to-day running of small to medium sized NGOs. Produced by Tactical Tech in
> association with WomensNet, this toolkit aims to make it easier to set up 
> base,
> find the right software and learn how to use it. Targeted primarily at NGOs 
> and
> advocacy organisations in developing countries the Box contains a set of
> peer-reviewed Free and Open Source Software tools, with associated guides and
> tutorials."
> 
> http://archive.tacticaltech.org/ngo-in-a-box-base.html
> 
> Testimonials:
> 
> http://archive.tacticaltech.org/whatpeoplesayaboutus.html
> 
> Cheers,
> 
> Julian
> 
>>
>> On Thu, 28 Feb 2013 14:50:08 + "Andreas Bader" 
>>  wrote:
>>> anonymous2...@nym.hush.com:
 Hi, 
 We are a human rights NGO that is looking to invest in the best 
 possible level of network security (protection from high-level 
 cyber-security threats, changing circumvention/proxy to protect 
>>> IP 
 address etc, encryption on endpoints and server, IDS/Physical 
>>> and 
 Software Firewall/File Integrity Monitoring, Mobile Device 
 Management, Honeypots) we can get for a our internal network. I 
>>> was 
 wondering if people would critique the following network, add 
 comments, suggestions and alternative methods/pieces of 
>>> software. 
 (Perhaps if it goes well we could make a short paper out of it, 
>>> for 
 others to use.)
>>> I also work for a human rights NGO.
>>> First don't use an internal network, you need a decentral 
>>> communication
>>> and information network.
>>> Second, Windows is not easier than Linux, compare Windows 8 and 
>>> Debian
>>> with Gnome 2.
>>> I would probably use a SEL Kernel like in SL 6, when possible a 
>>> Live-System.
>>> Forget all the closed-source software.
>>> Now the Software:
>>> -Firefox with Torbutton
>>> -Thunderbird with Torbirdy and OpenPGP
>>> -Vidalia
>>> Encrypt your systems with LUKS, its also FDE. Truecrypt doesn't 
>>> work
>>> with Linux as FDE.
>>> You can possibly try Liberte Linux, someone on this list presented 
>>> it to
>>> us, its made for secure communication.
>>> And if you are unsure about Linux and Windows in "High Level 
>>> Security
>>> Systems", then you should probably go and get a real
>>> Sysadmin/Security-Fanatic.
>>> How good are you with IT-Sec?
>>> I don't want to offend you, but you sound like a beginner.
>>>
>>> Andreas
>>>
>>> (P.S.: Skype? You can't be serious. ICQ and Facebookchat is more 
>>> secure.
>>> Use IRC).
>>> --
>>> Too many emails? Unsubscribe, change to digest, or change password 
>>> by emailing moderator at compa...@stanford.edu or changing your 
>>> settings at 
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by 
>> emailing moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 


-- 
“Be the change you want to see in the world.” Gandhi

XMPP: i...@jabber.ccc.de a5dae15f45a37e9768f6deae7b54807fc4942ec9
twitter.com/wwwiretap
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[Julian Oliver]

..on Thu, Feb 28, 2013 at 03:00:11PM +, anonymous2...@nym.hush.com wrote:
> If you think you can get a board member or a finance person in an NGO to use
> Linux then you are detached from the reality of how most NGO's work. The use
> will simply ignore it.

Really? Have you tried a recent desktop Linux distribution? What about Android?
While not a fan of Ubuntu myself, I've seen both an 11yr old girl and a 70yr old
retired farmer installing packages and watching videos, making documents in
Ubuntu. One quite often hears many people find it far less confusing than
Windows.

Linux is just a kernel. GNU tools, applications and the UI are what make it a
Desktop OS - and they vary in usability.

Anyway, to be a little more constructive on the topic, check out Tactical Tech's
NGO-in-a-box. All built on free and open software:

"Everyday tools for NGOs Base NGO in-a-box is a collection of tools for the
day-to-day running of small to medium sized NGOs. Produced by Tactical Tech in
association with WomensNet, this toolkit aims to make it easier to set up base,
find the right software and learn how to use it. Targeted primarily at NGOs and
advocacy organisations in developing countries the Box contains a set of
peer-reviewed Free and Open Source Software tools, with associated guides and
tutorials."

http://archive.tacticaltech.org/ngo-in-a-box-base.html

Testimonials:

http://archive.tacticaltech.org/whatpeoplesayaboutus.html

Cheers,

Julian

> 
> On Thu, 28 Feb 2013 14:50:08 + "Andreas Bader" 
>  wrote:
> >anonymous2...@nym.hush.com:
> >> Hi, 
> >> We are a human rights NGO that is looking to invest in the best 
> >> possible level of network security (protection from high-level 
> >> cyber-security threats, changing circumvention/proxy to protect 
> >IP 
> >> address etc, encryption on endpoints and server, IDS/Physical 
> >and 
> >> Software Firewall/File Integrity Monitoring, Mobile Device 
> >> Management, Honeypots) we can get for a our internal network. I 
> >was 
> >> wondering if people would critique the following network, add 
> >> comments, suggestions and alternative methods/pieces of 
> >software. 
> >> (Perhaps if it goes well we could make a short paper out of it, 
> >for 
> >> others to use.)
> >I also work for a human rights NGO.
> >First don't use an internal network, you need a decentral 
> >communication
> >and information network.
> >Second, Windows is not easier than Linux, compare Windows 8 and 
> >Debian
> >with Gnome 2.
> >I would probably use a SEL Kernel like in SL 6, when possible a 
> >Live-System.
> >Forget all the closed-source software.
> >Now the Software:
> >-Firefox with Torbutton
> >-Thunderbird with Torbirdy and OpenPGP
> >-Vidalia
> >Encrypt your systems with LUKS, its also FDE. Truecrypt doesn't 
> >work
> >with Linux as FDE.
> >You can possibly try Liberte Linux, someone on this list presented 
> >it to
> >us, its made for secure communication.
> >And if you are unsure about Linux and Windows in "High Level 
> >Security
> >Systems", then you should probably go and get a real
> >Sysadmin/Security-Fanatic.
> >How good are you with IT-Sec?
> >I don't want to offend you, but you sound like a beginner.
> >
> >Andreas
> >
> >(P.S.: Skype? You can't be serious. ICQ and Facebookchat is more 
> >secure.
> >Use IRC).
> >--
> >Too many emails? Unsubscribe, change to digest, or change password 
> >by emailing moderator at compa...@stanford.edu or changing your 
> >settings at 
> >https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[David Conrad]

Hi,

On Thu, Feb 28, 2013 at 10:00 AM,  wrote:
> Thanks I appreciate the input but this is where one of the problems
> with the LibTech approach lies, having spent years training
> hundreds of people all over the world with TrueCrypt, TOR,
> PGP/Thunderbird etc I can tell you that the systems are simply not
> user friendly enough for the vast majority of non-techie people in
> an NGO environment. In parts of Africa and other places, people are
> barely techno-literate to be able to turn on a windows machine -
> even after consideriable training. People now come to work using
> Mac's and Android, they are used to easy interfaces etc...If you
> think you can get a board member or a finance person in an NGO to
> use Linux then you are detached from the reality of how most NGO's
> work. The use will simply ignore it.

I suspect more info about the use case here is necessary to provide useful 
feedback. I am not sure how folks at the technical level you describe can 
maintain the disciplines necessary to keep a general purpose system secure. If 
it takes considerable training for them to turn on a Windows machine, then I 
would think the model you're looking for is a remotely managed (and wipe-able) 
appliance/info kiosk with minimal physical exposure and not a general purpose 
system.

Regardless of whether the OS is Windows or a highly locked down super secure 
variant of HyperCryptoGeekOS, I suspect the real risks lie in the usage model 
and physical environment. Without more details on what you're trying to protect 
against I don't think it possible to propose solutions that are any more than 
what people think are the latest/best cool toys.

Regards,
-drc

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Is cryptography becoming less important?

[Andreas Bader]

Scott Elcomb:
> I'd be most interested in hearing this group's thoughts about this post:
> 
> 'In the current climate of continuous attacks and intrusions by APT
> crews, government-sponsored groups and others organizations,
> cryptography is becoming less and less important and defenders need to
> start thinking about new ways to protect data on systems that they
> assume are compromised, one of the fathers of public-key cryptography
> said Tuesday. Adi Shamir, who helped design the original RSA
> algorithm, said that security experts should be preparing for a
> "post-cryptography" world.'
> 
> 
> 
There was always a "war" between people that encrypt data and people
that want to hack that encryption. But in the last years it was clear
that the algorithms can no more be brutforced and hacked.
The normal brutforce attack is obsolete and the true problem is the
user, the software and the password he sets for encrypted data. But
that's nothing new.

Andreas
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[Andreas Bader]

drone_guinness1 borgnet:
> ...end users using Linux :-D  (good one)
so you say that android users aren't end users?

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Open Food Facts project + G-8 conference in DC

[Yosem Companys]

From: Stéphane Gigandet 

Hi Everyone,

I presented the Open Food Facts project at the Open Data Day event organized by 
the French local group of OKFN in Paris.
We are creating a kind of "Wikipedia" for food products: a crowdsourced 
database of food products from around the world with ingredients, nutrition 
facts, labels etc. published under the Open Database Licence.

We started in May 2011 and the project took off very quickly, with 300 
contributors adding 5500 products. But so far we have not been very successful 
at developing other languages than French (Spanish being the exception). We 
have versions more or less translated in 10 languages, but very few products. 
You can see the number of products for each language on http://openfoodfacts.org

We would be very interested to find people who could help us to develop the 
project and make it known in other countries.
One thing that was suggested during Open Data Day is that the OKFN's network 
could be of great help to find persons interested in the project from around 
the world.

We also have a very concrete short term need: the G-8 is organizing on April 
29th a conference on Open Data for Agriculture and Food Security. There is an 
open call for ideas: https://sites.google.com/site/g8opendataconference/preces
We will answer that call to try to present our project, but if we are selected, 
we may not be able to fly from France to Washington. But we were thinking that 
we may be able to find someone living close to Washington who could present the 
project. And of course we would be more than happy to return the favor and 
present some projects from abroad at conferences in Paris or other conferences 
we go to elsewhere.

By the way we have an "open draft" of our answer to the open call: 
https://docs.google.com/document/d/1IsRV4R3nJuF145H_6jGprMj5ZSTBWYz-Gt_-bO2P2jU/edit?usp=sharing
Any comments or suggestions welcome!

At the Open Data Day event in Paris, it was also suggested that we could start 
an OKFN working group related to food. Would some of you be interested in 
starting and participating in such a working group?

Thank you!

Stéphane Gigandet
http://openfoodfacts.org--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[anonymous2013]

Thanks I appreciate the input but this is where one of the problems 
with the LibTech approach lies, having spent years training 
hundreds of people all over the world with TrueCrypt, TOR, 
PGP/Thunderbird etc I can tell you that the systems are simply not 
user friendly enough for the vast majority of non-techie people in 
an NGO environment. In parts of Africa and other places, people are 
barely techno-literate to be able to turn on a windows machine - 
even after consideriable training. People now come to work using 
Mac's and Android, they are used to easy interfaces etc...If you 
think you can get a board member or a finance person in an NGO to 
use Linux then you are detached from the reality of how most NGO's 
work. The use will simply ignore it.

And I didn't say Skype, I meant using a Skype alternative like 
Pidgin with OTR etc - obviously Skype is not secure.

Thanks.
-A

On Thu, 28 Feb 2013 14:50:08 + "Andreas Bader" 
 wrote:
>anonymous2...@nym.hush.com:
>> Hi, 
>> We are a human rights NGO that is looking to invest in the best 
>> possible level of network security (protection from high-level 
>> cyber-security threats, changing circumvention/proxy to protect 
>IP 
>> address etc, encryption on endpoints and server, IDS/Physical 
>and 
>> Software Firewall/File Integrity Monitoring, Mobile Device 
>> Management, Honeypots) we can get for a our internal network. I 
>was 
>> wondering if people would critique the following network, add 
>> comments, suggestions and alternative methods/pieces of 
>software. 
>> (Perhaps if it goes well we could make a short paper out of it, 
>for 
>> others to use.)
>I also work for a human rights NGO.
>First don't use an internal network, you need a decentral 
>communication
>and information network.
>Second, Windows is not easier than Linux, compare Windows 8 and 
>Debian
>with Gnome 2.
>I would probably use a SEL Kernel like in SL 6, when possible a 
>Live-System.
>Forget all the closed-source software.
>Now the Software:
>-Firefox with Torbutton
>-Thunderbird with Torbirdy and OpenPGP
>-Vidalia
>Encrypt your systems with LUKS, its also FDE. Truecrypt doesn't 
>work
>with Linux as FDE.
>You can possibly try Liberte Linux, someone on this list presented 
>it to
>us, its made for secure communication.
>And if you are unsure about Linux and Windows in "High Level 
>Security
>Systems", then you should probably go and get a real
>Sysadmin/Security-Fanatic.
>How good are you with IT-Sec?
>I don't want to offend you, but you sound like a beginner.
>
>Andreas
>
>(P.S.: Skype? You can't be serious. ICQ and Facebookchat is more 
>secure.
>Use IRC).
>--
>Too many emails? Unsubscribe, change to digest, or change password 
>by emailing moderator at compa...@stanford.edu or changing your 
>settings at 
>https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for?a.Human Rights NGO

[Rich Kulawiec]

On Thu, Feb 28, 2013 at 01:43:38PM +, anonymous2...@nym.hush.com wrote:
> Every idiot knows Linux is more secure in many ways 
> than Windows yet sometimes other factors come into play that 
> require the use of MS. 

No.  MS is never required.  I've heard that contention for decades and
it's never been true.  There's ALWAYS a better way to anyone who has
the intelligence, the resourcefulness, the diligence to find one.

(And this gets easier all the time: finding alternatives is much
easier in 2013 than it was in 2003.  The problem now, in some ways,
is not "are there vastly superior alternatives?" but "which of the
many is right for this instance?"  Good problem to have, though.)

So you have a choice: you can either stubbornly persist with this, or you
can go back through your checklist and remove every single item that's
not open-source.  (For starters.  That's by no means a sufficient change,
but it's a necessary one, and would at least dispense with some of the
most egregiously poor choices, of which "operating system" is not the
only one.)

And Linux is far from the only choice available, and it probably
would not be the one that I recommend first.

But -- to back up quite a bit -- actually making a serious recommendation
would require seeing your design goals, and we haven't.  If we presume,
for the sake of argument, that you have powerful, clueful enemies who
are well-funded and somewhat ruthless, then other changes might also be
in order.

For example, you list:

"Strong physical protection in a liberal country as regards human rights"

If you build according to that model, then you are doing your adversaries
the favor of constructing a single, centralized, easily-identifiable,
fixed target for them to aim at.  I don't think that's a good
architecture, regardless of what you install in it.

So if you really want serious thinking applied to this at the
architectural, design, and implementation levels, then we probably need
to see some kind of documentation that goes into what you're trying
to accomplish along with some assessment of the capabilities of your
adversaries.  How large an operation is this?  How global (or not)?
What's your hardware/software budget?  What functions are you trying
to provide?  We also probably need to know what your assets are: what
are your personnel resources?  What's your training budget?  And so on.

You may also need to recognize that you're not up to this.  Could be.
Can't tell.  But it's certainly possible.  I've seen many people try
to build things that they really, truly weren't capable of building,
with disastrous results.  If that's the case, then it would be a poor
choice indeed to proceed without serious reconsideration.

---rsk
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[Andreas Bader]

anonymous2...@nym.hush.com:
> Hi, 
> We are a human rights NGO that is looking to invest in the best 
> possible level of network security (protection from high-level 
> cyber-security threats, changing circumvention/proxy to protect IP 
> address etc, encryption on endpoints and server, IDS/Physical and 
> Software Firewall/File Integrity Monitoring, Mobile Device 
> Management, Honeypots) we can get for a our internal network. I was 
> wondering if people would critique the following network, add 
> comments, suggestions and alternative methods/pieces of software. 
> (Perhaps if it goes well we could make a short paper out of it, for 
> others to use.)
I also work for a human rights NGO.
First don't use an internal network, you need a decentral communication
and information network.
Second, Windows is not easier than Linux, compare Windows 8 and Debian
with Gnome 2.
I would probably use a SEL Kernel like in SL 6, when possible a Live-System.
Forget all the closed-source software.
Now the Software:
-Firefox with Torbutton
-Thunderbird with Torbirdy and OpenPGP
-Vidalia
Encrypt your systems with LUKS, its also FDE. Truecrypt doesn't work
with Linux as FDE.
You can possibly try Liberte Linux, someone on this list presented it to
us, its made for secure communication.
And if you are unsure about Linux and Windows in "High Level Security
Systems", then you should probably go and get a real
Sysadmin/Security-Fanatic.
How good are you with IT-Sec?
I don't want to offend you, but you sound like a beginner.

Andreas

(P.S.: Skype? You can't be serious. ICQ and Facebookchat is more secure.
Use IRC).
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a.Human Rights NGO

[Jacob Appelbaum]

Bill Woodcock:
> 
> You want to do this securely, and you're _starting_ with Windows?

Welcome to the world of Human Rights NGOs!

If Free Software is only free when your time is worth nothing, Microsoft
is only affordable when your systems aren't under attack.

...

All the best,
Jacob

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[anonymous2013]

Agreed, this kind of advice is what I was hoping to get on LibTech!

On Thu, 28 Feb 2013 14:16:56 + canto...@hushmail.com wrote:
>Thanks excellent advice - much to think about.
>
>On Thu, 28 Feb 2013 14:09:39 + "Tom Ritter"  
>wrote:
>>On 28 February 2013 07:39,   wrote:
>>> Hi,
>>> We are a human rights NGO that is looking to invest in the best
>>> possible level of network security (protection from high-level
>>> cyber-security threats, changing circumvention/proxy to protect 
>
>>IP
>>> address etc, encryption on endpoints and server, IDS/Physical 
>>and
>>> Software Firewall/File Integrity Monitoring, Mobile Device
>>> Management, Honeypots) we can get for a our internal network. I 
>
>>was
>>> wondering if people would critique the following network, add
>>> comments, suggestions and alternative methods/pieces of 
>>software.
>>> (Perhaps if it goes well we could make a short paper out of it, 
>
>>for
>>> others to use.)
>>>
>>> -Windows 2012 Server
>>> -VMWare virtual machines running Win 8 for remote access
>>
>>Windows doesn't scare me, full remote access scares me.  (I'm 
>>amazed
>>at how many people are saying "X is insecure" with no 
>explanations 
>>how
>>or why an alternative is more secure.) Obviously you'll need 
>>something
>>for remote workers, but see the next section...
>>
>>> -Industry standard hardening and lock down of all OS systems.
>>
>>Industry 'Standard' hardening isn't particularly good because
>>'Standard' is 'Standard' and 'Standard' is also hacked over and 
>>over
>>again.  Upgrading your RDP authentication level is a good idea 
>and
>>'Standard' - but what you want most of all is separation of 
>>privilege.
>> I don't mean "Bob the sysadmin is the only person who can 
>>administer
>>the mailserver" I mean "Bob the sysadmin is the only person who 
>>can
>>administer the mailserver, and he can only do it from a separate
>>computer that's on a separate airgapped network and he doesn't 
>use 
>>USB
>>keys".
>>
>>Airgapping brings thoughts of crazy military-levels of paranoia - 
>
>>but
>>it's not all that difficult and it's getting more and more 
>>important.
>>Get a couple cheapish laptops, a separate consumer-level 
>broadband
>>connection, and run red cables plus blue to a few people's desks.
>>
>>Think about it terms of compartmentalisation, both airgapped and
>>non-airgapped-but-separate-Domains/VLANs/Authorisation contexts. 
>>Draw
>>out your network, and then fill an entire section with Red - 
>>that's
>>what the attacker controls.  How does he move to another section? 
>
>>What
>>data does he get?  Brainstorm this part heavily, consider putting 
>
>>it
>>up on a permanent whiteboard and referring to it every time 
>>someone
>>comes in and needs access to X group's fileserver, or what-have-
>>you.
>>
>>> -Constantly changing proxies
>>
>>I have no idea what you intend to accomplish with this.  
>>Performing
>>*more* logging of your employees, or not disabling WPAD sounds 
>>like
>>the opposite of what you'd want.  (And a note on the WPAD item:
>>disable IPv6 too.)
>>
>>> -Sophos Enterprise Protection, Encryption and Patch management
>>> -Sophos mobile management
>>
>>Uh, I guess.  I guess I shouldn't disparage something I've never
>>reviewed and haven't worked with... But my opinion of "Enterprise
>>Protection" products isn't too high until I've seen an 
>independent
>>security firm see how secure the product is and how much it 
>attack
>>surface it adds.
>>
>>> -Encrypted voice calls for mobile and a more secure alternative 
>
>>to
>>> Skype via Silent Circle.
>>
>>So I guess that's RedPhone?
>>
>>> -TrueCrypt on all drives - set to close without use after a
>>> specific time
>>
>>Bitlocker is a fine alternative, and probably easier to 
>>manage/query
>>via Group Policy.
>>
>>> -False and poison pill files
>>> -Honeypots
>>
>>Ooookay.  This isn't a bad idea, but it's pretty damn complicated 
>
>>to
>>set up - you're moving more and more towards something that 
>>requires a
>>24/7 SOC (Security Operations Center) and further away from
>>"Architecting a secure network."
>>
>>> -Snort IDS
>>> -Tripwire
>>
>>And someone full time (or 2 people, really probably a team of 
>>folks
>>operating 24/7) to monitor these?  Cause this stuff doesn't help 
>>you
>>if no one's looking at it.
>>
>>> -Easily controlled kill commands
>>
>>... Huh?
>>
>>> -No wifi
>>
>>Good luck with that.  I guess no one's going to have any 
>>productive
>>meetings or use any MacBook airs, tablets, or phones for work
>>purposes.  (Unlikely.)  Having everyone use the cell towers isn't 
>
>>a
>>great idea either.  This sounds like you haven't done a 
>>requirements
>>gathering phase with your users.
>>
>>-tom
>>--
>>Too many emails? Unsubscribe, change to digest, or change 
>password 
>>by emailing moderator at compa...@stanford.edu or changing your 
>>settings at 
>>https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>--
>Too many emails? Unsubscribe, change to digest, or change password 

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[cantona7]

Thanks excellent advice - much to think about.

On Thu, 28 Feb 2013 14:09:39 + "Tom Ritter"  
wrote:
>On 28 February 2013 07:39,   wrote:
>> Hi,
>> We are a human rights NGO that is looking to invest in the best
>> possible level of network security (protection from high-level
>> cyber-security threats, changing circumvention/proxy to protect 
>IP
>> address etc, encryption on endpoints and server, IDS/Physical 
>and
>> Software Firewall/File Integrity Monitoring, Mobile Device
>> Management, Honeypots) we can get for a our internal network. I 
>was
>> wondering if people would critique the following network, add
>> comments, suggestions and alternative methods/pieces of 
>software.
>> (Perhaps if it goes well we could make a short paper out of it, 
>for
>> others to use.)
>>
>> -Windows 2012 Server
>> -VMWare virtual machines running Win 8 for remote access
>
>Windows doesn't scare me, full remote access scares me.  (I'm 
>amazed
>at how many people are saying "X is insecure" with no explanations 
>how
>or why an alternative is more secure.) Obviously you'll need 
>something
>for remote workers, but see the next section...
>
>> -Industry standard hardening and lock down of all OS systems.
>
>Industry 'Standard' hardening isn't particularly good because
>'Standard' is 'Standard' and 'Standard' is also hacked over and 
>over
>again.  Upgrading your RDP authentication level is a good idea and
>'Standard' - but what you want most of all is separation of 
>privilege.
> I don't mean "Bob the sysadmin is the only person who can 
>administer
>the mailserver" I mean "Bob the sysadmin is the only person who 
>can
>administer the mailserver, and he can only do it from a separate
>computer that's on a separate airgapped network and he doesn't use 
>USB
>keys".
>
>Airgapping brings thoughts of crazy military-levels of paranoia - 
>but
>it's not all that difficult and it's getting more and more 
>important.
>Get a couple cheapish laptops, a separate consumer-level broadband
>connection, and run red cables plus blue to a few people's desks.
>
>Think about it terms of compartmentalisation, both airgapped and
>non-airgapped-but-separate-Domains/VLANs/Authorisation contexts. 
>Draw
>out your network, and then fill an entire section with Red - 
>that's
>what the attacker controls.  How does he move to another section? 
>What
>data does he get?  Brainstorm this part heavily, consider putting 
>it
>up on a permanent whiteboard and referring to it every time 
>someone
>comes in and needs access to X group's fileserver, or what-have-
>you.
>
>> -Constantly changing proxies
>
>I have no idea what you intend to accomplish with this.  
>Performing
>*more* logging of your employees, or not disabling WPAD sounds 
>like
>the opposite of what you'd want.  (And a note on the WPAD item:
>disable IPv6 too.)
>
>> -Sophos Enterprise Protection, Encryption and Patch management
>> -Sophos mobile management
>
>Uh, I guess.  I guess I shouldn't disparage something I've never
>reviewed and haven't worked with... But my opinion of "Enterprise
>Protection" products isn't too high until I've seen an independent
>security firm see how secure the product is and how much it attack
>surface it adds.
>
>> -Encrypted voice calls for mobile and a more secure alternative 
>to
>> Skype via Silent Circle.
>
>So I guess that's RedPhone?
>
>> -TrueCrypt on all drives - set to close without use after a
>> specific time
>
>Bitlocker is a fine alternative, and probably easier to 
>manage/query
>via Group Policy.
>
>> -False and poison pill files
>> -Honeypots
>
>Ooookay.  This isn't a bad idea, but it's pretty damn complicated 
>to
>set up - you're moving more and more towards something that 
>requires a
>24/7 SOC (Security Operations Center) and further away from
>"Architecting a secure network."
>
>> -Snort IDS
>> -Tripwire
>
>And someone full time (or 2 people, really probably a team of 
>folks
>operating 24/7) to monitor these?  Cause this stuff doesn't help 
>you
>if no one's looking at it.
>
>> -Easily controlled kill commands
>
>... Huh?
>
>> -No wifi
>
>Good luck with that.  I guess no one's going to have any 
>productive
>meetings or use any MacBook airs, tablets, or phones for work
>purposes.  (Unlikely.)  Having everyone use the cell towers isn't 
>a
>great idea either.  This sounds like you haven't done a 
>requirements
>gathering phase with your users.
>
>-tom
>--
>Too many emails? Unsubscribe, change to digest, or change password 
>by emailing moderator at compa...@stanford.edu or changing your 
>settings at 
>https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[Tom Ritter]

On 28 February 2013 07:39,   wrote:
> Hi,
> We are a human rights NGO that is looking to invest in the best
> possible level of network security (protection from high-level
> cyber-security threats, changing circumvention/proxy to protect IP
> address etc, encryption on endpoints and server, IDS/Physical and
> Software Firewall/File Integrity Monitoring, Mobile Device
> Management, Honeypots) we can get for a our internal network. I was
> wondering if people would critique the following network, add
> comments, suggestions and alternative methods/pieces of software.
> (Perhaps if it goes well we could make a short paper out of it, for
> others to use.)
>
> -Windows 2012 Server
> -VMWare virtual machines running Win 8 for remote access

Windows doesn't scare me, full remote access scares me.  (I'm amazed
at how many people are saying "X is insecure" with no explanations how
or why an alternative is more secure.) Obviously you'll need something
for remote workers, but see the next section...

> -Industry standard hardening and lock down of all OS systems.

Industry 'Standard' hardening isn't particularly good because
'Standard' is 'Standard' and 'Standard' is also hacked over and over
again.  Upgrading your RDP authentication level is a good idea and
'Standard' - but what you want most of all is separation of privilege.
 I don't mean "Bob the sysadmin is the only person who can administer
the mailserver" I mean "Bob the sysadmin is the only person who can
administer the mailserver, and he can only do it from a separate
computer that's on a separate airgapped network and he doesn't use USB
keys".

Airgapping brings thoughts of crazy military-levels of paranoia - but
it's not all that difficult and it's getting more and more important.
Get a couple cheapish laptops, a separate consumer-level broadband
connection, and run red cables plus blue to a few people's desks.

Think about it terms of compartmentalisation, both airgapped and
non-airgapped-but-separate-Domains/VLANs/Authorisation contexts. Draw
out your network, and then fill an entire section with Red - that's
what the attacker controls.  How does he move to another section? What
data does he get?  Brainstorm this part heavily, consider putting it
up on a permanent whiteboard and referring to it every time someone
comes in and needs access to X group's fileserver, or what-have-you.

> -Constantly changing proxies

I have no idea what you intend to accomplish with this.  Performing
*more* logging of your employees, or not disabling WPAD sounds like
the opposite of what you'd want.  (And a note on the WPAD item:
disable IPv6 too.)

> -Sophos Enterprise Protection, Encryption and Patch management
> -Sophos mobile management

Uh, I guess.  I guess I shouldn't disparage something I've never
reviewed and haven't worked with... But my opinion of "Enterprise
Protection" products isn't too high until I've seen an independent
security firm see how secure the product is and how much it attack
surface it adds.

> -Encrypted voice calls for mobile and a more secure alternative to
> Skype via Silent Circle.

So I guess that's RedPhone?

> -TrueCrypt on all drives - set to close without use after a
> specific time

Bitlocker is a fine alternative, and probably easier to manage/query
via Group Policy.

> -False and poison pill files
> -Honeypots

Ooookay.  This isn't a bad idea, but it's pretty damn complicated to
set up - you're moving more and more towards something that requires a
24/7 SOC (Security Operations Center) and further away from
"Architecting a secure network."

> -Snort IDS
> -Tripwire

And someone full time (or 2 people, really probably a team of folks
operating 24/7) to monitor these?  Cause this stuff doesn't help you
if no one's looking at it.

> -Easily controlled kill commands

... Huh?

> -No wifi

Good luck with that.  I guess no one's going to have any productive
meetings or use any MacBook airs, tablets, or phones for work
purposes.  (Unlikely.)  Having everyone use the cell towers isn't a
great idea either.  This sounds like you haven't done a requirements
gathering phase with your users.

-tom
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a.Human Rights NGO

[SiNA Rabbani]

You are listing a lot of technology creating a very complex system. My 2
cents is that you want to design your network as simple as possible, with
the least number of features and access points.

I'd like to bring your attention to hidden services from The Tor Project,
you can achieve end-to-end encryption without relying on the traditional CA
mode/business which is very broken today.

2 factor authentication along with password logins is also recommended.

My #1 concern is that all these technologies require experts to install and
maintain, any plans there??

Finally, compartmentalization is your best friend, assume that despite your
fancy snort box... You are going to get hacked and be ready for it!

Good luck!
--SiNA
On Feb 28, 2013 5:43 AM,  wrote:

> Frankly your whats wrong with a small minority of the people on
> LibTech. NGO's have to balance cost, security, people, user needs,
> current infrastructure, software/hardware donation programs, man
> hours etc etc...Every idiot knows Linux is more secure in many ways
> than Windows yet sometimes other factors come into play that
> require the use of MS.
>
> This topic is a genuine topic that has not been looked at to my
> knowledge by the movement - we have tons of material on VOIP
> safety, encryption, device management etc but not much on actually
> network design...I hope your glad that your smart-ass comments have
> dragged it sideways within the first two posts, to the detriment of
> the group.
>
> I have no interest in being trolled. Is there anyone on the list
> that wants to talk through this and give me some direct advice on
> how to implement a safe NGO operational network?
>
> On Thu, 28 Feb 2013 13:35:26 + "Bill Woodcock" 
> wrote:
> >Sorry, thought you'd asked for advice about the "best possible"
> >way to do it. Didn't realize you meant "best possible with no time
> >or attention."  But, wait, that's not quite it either, is it?  You
> >meant that you don't want to invest _your_ time and attention, but
> >you think people on the list can solve that for you by
> >contributing _our_ time and attention?  I'm not sure it works that
> >way, but perhaps someone who's feeling more charitable than I am
> >right now can suggest the "best possible" solution that requires
> >none of your time and attention and runs on Windows.
> >
> >Since I'm now 34 hours into an Ottawa-bound itinerary for the CIF,
> >a tip of the hat to Canada: "As secure as possible, under the
> >circumstances."
> >
> >-Bill
> >
> >
> >On Feb 28, 2013, at 8:22, "anonymous2...@nym.hush.com"
> > wrote:
> >
> >> Can we please get back to the issue at hand
> >>
> >> On Thu, 28 Feb 2013 13:16:03 + "Bill Woodcock"
> >
> >> wrote:
> >>> Ah, yes, those expensive man-hours.  Security is so much easier
> >
> >>> when you don't give it time and attention.  It also doesn't
> >work.
> >>>
> >>>
> >>>   -Bill
> >>>
> >>>
> >>> On Feb 28, 2013, at 8:09, "anonymous2...@nym.hush.com"
> >>>  wrote:
> >>>
>  I knew this was coming at some point. Yes I am starting with
>  Windows, it's more functional (awaits incoming) and costs less
> >>> in
>  terms of expensive man hours (the hidden cost vs software) for
> >>> an
>  Linux guru to run and monitor the network.
> 
>  On Thu, 28 Feb 2013 13:03:00 + "Bill Woodcock"
> >>> 
>  wrote:
> > You want to do this securely, and you're _starting_ with
> >>> Windows?
> >
> >
> >  -Bill
> >
> >
> > On Feb 28, 2013, at 7:40, "anonymous2...@nym.hush.com"
> >  wrote:
> >
> >> Hi,
> >> We are a human rights NGO that is looking to invest in the
> >>> best
> >> possible level of network security (protection from high-
> >level
> >>>
> >> cyber-security threats, changing circumvention/proxy to
> >>> protect
> > IP
> >> address etc, encryption on endpoints and server,
> >IDS/Physical
> > and
> >> Software Firewall/File Integrity Monitoring, Mobile Device
> >> Management, Honeypots) we can get for a our internal
> >network.
> >>> I
> > was
> >> wondering if people would critique the following network,
> >add
> >> comments, suggestions and alternative methods/pieces of
> > software.
> >> (Perhaps if it goes well we could make a short paper out of
> >>> it,
> > for
> >> others to use.)
> >>
> >> -Windows 2012 Server
> >> -VMWare virtual machines running Win 8 for remote access
> >> -Industry standard hardening and lock down of all OS
> >systems.
> >> -Constantly changing proxies
> >> -PGP email with BES
> >> -Cryptocard tokens
> >> -Sophos Enterprise Protection, Encryption and Patch
> >management
> >> -Sophos mobile management
> >> -Encrypted voice calls for mobile and a more secure
> >>> alternative
> > to
> >> Skype via Silent Circle.
> >> -TrueCrypt on all drives - set to close without use after a
> >> specific time
> >> -Easily cont

Re: [liberationtech] Designing the best network infrastructure for?a.Human Rights NGO

[Julian Oliver]

..on Thu, Feb 28, 2013 at 01:08:54PM +, anonymous2...@nym.hush.com wrote:
> I knew this was coming at some point. Yes I am starting with 
> Windows, it's more functional (awaits incoming) and costs less in 
> terms of expensive man hours (the hidden cost vs software) for an 
> Linux guru to run and monitor the network.

You really don't have to be a "Linux guru" to run host a server running Linux.
I'm sure many people would be happy to help you in getting going however, if you
are worried as to entry barriers.

In all honesty and without meaning to insult your choice, choosing Windows 2012
Server is simply a bad idea. In fact, you are actually inviting trouble.

I have known people that target Windows Server as a matter of perverse
principle. It is not used by any that care for or understand network security.
Although Windows Server 2012 is better than previous versions, the remote
exploits for Microsoft's servers are numerous, from terminal services to MSSQL
and MS XML core services remote code execution. More so, it's famously easy to
push over with a Denial of Service attack.

You really are better to spend the time setting up a GNU/Linux server. Again,
I'd be happy to advise. Like many on this list, I have administered GNU/Linux
systems for a long time and run my own servers.

Cheers,

Julian

> 
> On Thu, 28 Feb 2013 13:03:00 + "Bill Woodcock"  
> wrote:
> >You want to do this securely, and you're _starting_ with Windows?
> >
> >
> >-Bill
> >
> >
> >On Feb 28, 2013, at 7:40, "anonymous2...@nym.hush.com" 
> > wrote:
> >
> >> Hi, 
> >> We are a human rights NGO that is looking to invest in the best 
> >> possible level of network security (protection from high-level 
> >> cyber-security threats, changing circumvention/proxy to protect 
> >IP 
> >> address etc, encryption on endpoints and server, IDS/Physical 
> >and 
> >> Software Firewall/File Integrity Monitoring, Mobile Device 
> >> Management, Honeypots) we can get for a our internal network. I 
> >was 
> >> wondering if people would critique the following network, add 
> >> comments, suggestions and alternative methods/pieces of 
> >software. 
> >> (Perhaps if it goes well we could make a short paper out of it, 
> >for 
> >> others to use.)
> >> 
> >> -Windows 2012 Server
> >> -VMWare virtual machines running Win 8 for remote access
> >> -Industry standard hardening and lock down of all OS systems.
> >> -Constantly changing proxies
> >> -PGP email with BES
> >> -Cryptocard tokens
> >> -Sophos Enterprise Protection, Encryption and Patch management
> >> -Sophos mobile management
> >> -Encrypted voice calls for mobile and a more secure alternative 
> >to 
> >> Skype via Silent Circle.
> >> -TrueCrypt on all drives - set to close without use after a 
> >> specific time
> >> -Easily controlled kill commands
> >> -False and poison pill files
> >> -Snort IDS
> >> -Honeypots
> >> -Tripwire
> >> -Cisco Network Appliance
> >> -No wifi
> >> -Strong physical protection in a liberal country as regards 
> >human 
> >> rights
> >> 
> >> I know there are many other factors, good training, constant 
> >> monitoring, avoiding spearfishing, penetration testing, etc but 
> >if 
> >> possible I would please like to keep the conversation on the 
> >> network design and software.
> >> 
> >> Thanks guys.
> >> -Anon
> >> 
> >> --
> >> Too many emails? Unsubscribe, change to digest, or change 
> >password by emailing moderator at compa...@stanford.edu or 
> >changing your settings at 
> >https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> >--
> >Too many emails? Unsubscribe, change to digest, or change password 
> >by emailing moderator at compa...@stanford.edu or changing your 
> >settings at 
> >https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a.Human Rights NGO

[Andrew Lewis]

I'd personally recommend the Harding guide from the NSA, they know
their stuff. As for the Linux brigade, a Bradley secured Linux install
that is poorly managed is not better then a decently managed Linux
distro. I have to go look at some of the products you wrote down, but
this looks like a decent shopping list for a reasonably secure
environment.


On Mar 1, 2013, at 2:43 AM, "anonymous2...@nym.hush.com"
 wrote:

> Frankly your whats wrong with a small minority of the people on
> LibTech. NGO's have to balance cost, security, people, user needs,
> current infrastructure, software/hardware donation programs, man
> hours etc etc...Every idiot knows Linux is more secure in many ways
> than Windows yet sometimes other factors come into play that
> require the use of MS.
>
> This topic is a genuine topic that has not been looked at to my
> knowledge by the movement - we have tons of material on VOIP
> safety, encryption, device management etc but not much on actually
> network design...I hope your glad that your smart-ass comments have
> dragged it sideways within the first two posts, to the detriment of
> the group.
>
> I have no interest in being trolled. Is there anyone on the list
> that wants to talk through this and give me some direct advice on
> how to implement a safe NGO operational network?
>
> On Thu, 28 Feb 2013 13:35:26 + "Bill Woodcock" 
> wrote:
>> Sorry, thought you'd asked for advice about the "best possible"
>> way to do it. Didn't realize you meant "best possible with no time
>> or attention."  But, wait, that's not quite it either, is it?  You
>> meant that you don't want to invest _your_ time and attention, but
>> you think people on the list can solve that for you by
>> contributing _our_ time and attention?  I'm not sure it works that
>> way, but perhaps someone who's feeling more charitable than I am
>> right now can suggest the "best possible" solution that requires
>> none of your time and attention and runs on Windows.
>>
>> Since I'm now 34 hours into an Ottawa-bound itinerary for the CIF,
>> a tip of the hat to Canada: "As secure as possible, under the
>> circumstances."
>>
>>   -Bill
>>
>>
>> On Feb 28, 2013, at 8:22, "anonymous2...@nym.hush.com"
>>  wrote:
>>
>>> Can we please get back to the issue at hand
>>>
>>> On Thu, 28 Feb 2013 13:16:03 + "Bill Woodcock"
>> 
>>> wrote:
 Ah, yes, those expensive man-hours.  Security is so much easier
>>
 when you don't give it time and attention.  It also doesn't
>> work.


  -Bill


 On Feb 28, 2013, at 8:09, "anonymous2...@nym.hush.com"
  wrote:

> I knew this was coming at some point. Yes I am starting with
> Windows, it's more functional (awaits incoming) and costs less
 in
> terms of expensive man hours (the hidden cost vs software) for
 an
> Linux guru to run and monitor the network.
>
> On Thu, 28 Feb 2013 13:03:00 + "Bill Woodcock"
 
> wrote:
>> You want to do this securely, and you're _starting_ with
 Windows?
>>
>>
>> -Bill
>>
>>
>> On Feb 28, 2013, at 7:40, "anonymous2...@nym.hush.com"
>>  wrote:
>>
>>> Hi,
>>> We are a human rights NGO that is looking to invest in the
 best
>>> possible level of network security (protection from high-
>> level

>>> cyber-security threats, changing circumvention/proxy to
 protect
>> IP
>>> address etc, encryption on endpoints and server,
>> IDS/Physical
>> and
>>> Software Firewall/File Integrity Monitoring, Mobile Device
>>> Management, Honeypots) we can get for a our internal
>> network.
 I
>> was
>>> wondering if people would critique the following network,
>> add
>>> comments, suggestions and alternative methods/pieces of
>> software.
>>> (Perhaps if it goes well we could make a short paper out of
 it,
>> for
>>> others to use.)
>>>
>>> -Windows 2012 Server
>>> -VMWare virtual machines running Win 8 for remote access
>>> -Industry standard hardening and lock down of all OS
>> systems.
>>> -Constantly changing proxies
>>> -PGP email with BES
>>> -Cryptocard tokens
>>> -Sophos Enterprise Protection, Encryption and Patch
>> management
>>> -Sophos mobile management
>>> -Encrypted voice calls for mobile and a more secure
 alternative
>> to
>>> Skype via Silent Circle.
>>> -TrueCrypt on all drives - set to close without use after a
>>> specific time
>>> -Easily controlled kill commands
>>> -False and poison pill files
>>> -Snort IDS
>>> -Honeypots
>>> -Tripwire
>>> -Cisco Network Appliance
>>> -No wifi
>>> -Strong physical protection in a liberal country as regards
>> human
>>> rights
>>>
>>> I know there are many other factors, good training, constant
>>
>>> monitoring, avoiding spearfishing, penetration testing, etc
 but
>> if

Re: [liberationtech] Designing the best network infrastructure for a.Human Rights NGO

[anonymous2013]

Frankly your whats wrong with a small minority of the people on 
LibTech. NGO's have to balance cost, security, people, user needs, 
current infrastructure, software/hardware donation programs, man 
hours etc etc...Every idiot knows Linux is more secure in many ways 
than Windows yet sometimes other factors come into play that 
require the use of MS. 

This topic is a genuine topic that has not been looked at to my 
knowledge by the movement - we have tons of material on VOIP 
safety, encryption, device management etc but not much on actually 
network design...I hope your glad that your smart-ass comments have 
dragged it sideways within the first two posts, to the detriment of 
the group.

I have no interest in being trolled. Is there anyone on the list 
that wants to talk through this and give me some direct advice on 
how to implement a safe NGO operational network?

On Thu, 28 Feb 2013 13:35:26 + "Bill Woodcock"  
wrote:
>Sorry, thought you'd asked for advice about the "best possible" 
>way to do it. Didn't realize you meant "best possible with no time 
>or attention."  But, wait, that's not quite it either, is it?  You 
>meant that you don't want to invest _your_ time and attention, but 
>you think people on the list can solve that for you by 
>contributing _our_ time and attention?  I'm not sure it works that 
>way, but perhaps someone who's feeling more charitable than I am 
>right now can suggest the "best possible" solution that requires 
>none of your time and attention and runs on Windows. 
>
>Since I'm now 34 hours into an Ottawa-bound itinerary for the CIF, 
>a tip of the hat to Canada: "As secure as possible, under the 
>circumstances."
>
>-Bill
>
>
>On Feb 28, 2013, at 8:22, "anonymous2...@nym.hush.com" 
> wrote:
>
>> Can we please get back to the issue at hand
>> 
>> On Thu, 28 Feb 2013 13:16:03 + "Bill Woodcock" 
> 
>> wrote:
>>> Ah, yes, those expensive man-hours.  Security is so much easier 
>
>>> when you don't give it time and attention.  It also doesn't 
>work. 
>>> 
>>> 
>>>   -Bill
>>> 
>>> 
>>> On Feb 28, 2013, at 8:09, "anonymous2...@nym.hush.com" 
>>>  wrote:
>>> 
 I knew this was coming at some point. Yes I am starting with 
 Windows, it's more functional (awaits incoming) and costs less
>>> in 
 terms of expensive man hours (the hidden cost vs software) for
>>> an 
 Linux guru to run and monitor the network.
 
 On Thu, 28 Feb 2013 13:03:00 + "Bill Woodcock"
>>>  
 wrote:
> You want to do this securely, and you're _starting_ with
>>> Windows?
> 
> 
>  -Bill
> 
> 
> On Feb 28, 2013, at 7:40, "anonymous2...@nym.hush.com" 
>  wrote:
> 
>> Hi, 
>> We are a human rights NGO that is looking to invest in the
>>> best 
>> possible level of network security (protection from high-
>level
>>> 
>> cyber-security threats, changing circumvention/proxy to
>>> protect
> IP 
>> address etc, encryption on endpoints and server, 
>IDS/Physical
> and 
>> Software Firewall/File Integrity Monitoring, Mobile Device 
>> Management, Honeypots) we can get for a our internal 
>network.
>>> I
> was 
>> wondering if people would critique the following network, 
>add 
>> comments, suggestions and alternative methods/pieces of
> software. 
>> (Perhaps if it goes well we could make a short paper out of
>>> it,
> for 
>> others to use.)
>> 
>> -Windows 2012 Server
>> -VMWare virtual machines running Win 8 for remote access
>> -Industry standard hardening and lock down of all OS 
>systems.
>> -Constantly changing proxies
>> -PGP email with BES
>> -Cryptocard tokens
>> -Sophos Enterprise Protection, Encryption and Patch 
>management
>> -Sophos mobile management
>> -Encrypted voice calls for mobile and a more secure
>>> alternative
> to 
>> Skype via Silent Circle.
>> -TrueCrypt on all drives - set to close without use after a 
>> specific time
>> -Easily controlled kill commands
>> -False and poison pill files
>> -Snort IDS
>> -Honeypots
>> -Tripwire
>> -Cisco Network Appliance
>> -No wifi
>> -Strong physical protection in a liberal country as regards
> human 
>> rights
>> 
>> I know there are many other factors, good training, constant 
>
>> monitoring, avoiding spearfishing, penetration testing, etc
>>> but
> if 
>> possible I would please like to keep the conversation on the 
>
>> network design and software.
>> 
>> Thanks guys.
>> -Anon
>> 
>> --
>> Too many emails? Unsubscribe, change to digest, or change
> password by emailing moderator at compa...@stanford.edu or 
> changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> --
> Too many emails? Unsubscribe, change to digest, or change
>>> password 
> by emailing moder

Re: [liberationtech] Designing the best network infrastructure for a.Human Rights NGO

[Bill Woodcock]

Sorry, thought you'd asked for advice about the "best possible" way to do it. 
Didn't realize you meant "best possible with no time or attention."  But, wait, 
that's not quite it either, is it?  You meant that you don't want to invest 
_your_ time and attention, but you think people on the list can solve that for 
you by contributing _our_ time and attention?  I'm not sure it works that way, 
but perhaps someone who's feeling more charitable than I am right now can 
suggest the "best possible" solution that requires none of your time and 
attention and runs on Windows. 

Since I'm now 34 hours into an Ottawa-bound itinerary for the CIF, a tip of the 
hat to Canada: "As secure as possible, under the circumstances."

-Bill


On Feb 28, 2013, at 8:22, "anonymous2...@nym.hush.com" 
 wrote:

> Can we please get back to the issue at hand
> 
> On Thu, 28 Feb 2013 13:16:03 + "Bill Woodcock"  
> wrote:
>> Ah, yes, those expensive man-hours.  Security is so much easier 
>> when you don't give it time and attention.  It also doesn't work. 
>> 
>> 
>>   -Bill
>> 
>> 
>> On Feb 28, 2013, at 8:09, "anonymous2...@nym.hush.com" 
>>  wrote:
>> 
>>> I knew this was coming at some point. Yes I am starting with 
>>> Windows, it's more functional (awaits incoming) and costs less
>> in 
>>> terms of expensive man hours (the hidden cost vs software) for
>> an 
>>> Linux guru to run and monitor the network.
>>> 
>>> On Thu, 28 Feb 2013 13:03:00 + "Bill Woodcock"
>>  
>>> wrote:
 You want to do this securely, and you're _starting_ with
>> Windows?
 
 
  -Bill
 
 
 On Feb 28, 2013, at 7:40, "anonymous2...@nym.hush.com" 
  wrote:
 
> Hi, 
> We are a human rights NGO that is looking to invest in the
>> best 
> possible level of network security (protection from high-level
>> 
> cyber-security threats, changing circumvention/proxy to
>> protect
 IP 
> address etc, encryption on endpoints and server, IDS/Physical
 and 
> Software Firewall/File Integrity Monitoring, Mobile Device 
> Management, Honeypots) we can get for a our internal network.
>> I
 was 
> wondering if people would critique the following network, add 
> comments, suggestions and alternative methods/pieces of
 software. 
> (Perhaps if it goes well we could make a short paper out of
>> it,
 for 
> others to use.)
> 
> -Windows 2012 Server
> -VMWare virtual machines running Win 8 for remote access
> -Industry standard hardening and lock down of all OS systems.
> -Constantly changing proxies
> -PGP email with BES
> -Cryptocard tokens
> -Sophos Enterprise Protection, Encryption and Patch management
> -Sophos mobile management
> -Encrypted voice calls for mobile and a more secure
>> alternative
 to 
> Skype via Silent Circle.
> -TrueCrypt on all drives - set to close without use after a 
> specific time
> -Easily controlled kill commands
> -False and poison pill files
> -Snort IDS
> -Honeypots
> -Tripwire
> -Cisco Network Appliance
> -No wifi
> -Strong physical protection in a liberal country as regards
 human 
> rights
> 
> I know there are many other factors, good training, constant 
> monitoring, avoiding spearfishing, penetration testing, etc
>> but
 if 
> possible I would please like to keep the conversation on the 
> network design and software.
> 
> Thanks guys.
> -Anon
> 
> --
> Too many emails? Unsubscribe, change to digest, or change
 password by emailing moderator at compa...@stanford.edu or 
 changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 --
 Too many emails? Unsubscribe, change to digest, or change
>> password 
 by emailing moderator at compa...@stanford.edu or changing your
>> 
 settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Looking for collaborators for free-range voting project

[Rich Kulawiec]

On Thu, Feb 28, 2013 at 02:19:11PM +0100, Ruben Bloemgarten wrote:
> It seems I might have jumped the gun, assuming the discussion was about
> voting systems for use in political elections. Disclosing all voter
> data, including voter identity would solve much if not all issues
> regarding verifiability, however would that not also restrict the use of
> such a system to topics that have no political or social consequences ?
> Otherwise it seems that the removal of secrecy/anonymity would be
> extremely problematic if not out-right dangerous. 

I'm with Ruben on this one.  There are serious problems (in many cases)
with disclosure of how someone voted; there are even problems disclosing
*if* they voted or possibly if they were *eligible* to vote, even if
that disclosure only (putatively) is done to the voter.

---rsk
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a.Human Rights NGO

[anonymous2013]

Can we please get back to the issue at hand

On Thu, 28 Feb 2013 13:16:03 + "Bill Woodcock"  
wrote:
>Ah, yes, those expensive man-hours.  Security is so much easier 
>when you don't give it time and attention.  It also doesn't work. 
>
>
>-Bill
>
>
>On Feb 28, 2013, at 8:09, "anonymous2...@nym.hush.com" 
> wrote:
>
>> I knew this was coming at some point. Yes I am starting with 
>> Windows, it's more functional (awaits incoming) and costs less 
>in 
>> terms of expensive man hours (the hidden cost vs software) for 
>an 
>> Linux guru to run and monitor the network.
>> 
>> On Thu, 28 Feb 2013 13:03:00 + "Bill Woodcock" 
> 
>> wrote:
>>> You want to do this securely, and you're _starting_ with 
>Windows?
>>> 
>>> 
>>>   -Bill
>>> 
>>> 
>>> On Feb 28, 2013, at 7:40, "anonymous2...@nym.hush.com" 
>>>  wrote:
>>> 
 Hi, 
 We are a human rights NGO that is looking to invest in the 
>best 
 possible level of network security (protection from high-level 
>
 cyber-security threats, changing circumvention/proxy to 
>protect
>>> IP 
 address etc, encryption on endpoints and server, IDS/Physical
>>> and 
 Software Firewall/File Integrity Monitoring, Mobile Device 
 Management, Honeypots) we can get for a our internal network. 
>I
>>> was 
 wondering if people would critique the following network, add 
 comments, suggestions and alternative methods/pieces of
>>> software. 
 (Perhaps if it goes well we could make a short paper out of 
>it,
>>> for 
 others to use.)
 
 -Windows 2012 Server
 -VMWare virtual machines running Win 8 for remote access
 -Industry standard hardening and lock down of all OS systems.
 -Constantly changing proxies
 -PGP email with BES
 -Cryptocard tokens
 -Sophos Enterprise Protection, Encryption and Patch management
 -Sophos mobile management
 -Encrypted voice calls for mobile and a more secure 
>alternative
>>> to 
 Skype via Silent Circle.
 -TrueCrypt on all drives - set to close without use after a 
 specific time
 -Easily controlled kill commands
 -False and poison pill files
 -Snort IDS
 -Honeypots
 -Tripwire
 -Cisco Network Appliance
 -No wifi
 -Strong physical protection in a liberal country as regards
>>> human 
 rights
 
 I know there are many other factors, good training, constant 
 monitoring, avoiding spearfishing, penetration testing, etc 
>but
>>> if 
 possible I would please like to keep the conversation on the 
 network design and software.
 
 Thanks guys.
 -Anon
 
 --
 Too many emails? Unsubscribe, change to digest, or change
>>> password by emailing moderator at compa...@stanford.edu or 
>>> changing your settings at 
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>> 
>>> --
>>> Too many emails? Unsubscribe, change to digest, or change 
>password 
>>> by emailing moderator at compa...@stanford.edu or changing your 
>
>>> settings at 
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a Human Rights NGO

[Rich Kulawiec]

On Thu, Feb 28, 2013 at 12:39:48PM +, anonymous2...@nym.hush.com wrote:
> We are a human rights NGO that is looking to invest in the best 
> possible level of network security [snip]

> -Windows 2012 Server

This is an early April Fool's joke, right?

---rsk
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Looking for collaborators for free-range voting project

[Ruben Bloemgarten]

It seems I might have jumped the gun, assuming the discussion was about
voting systems for use in political elections. Disclosing all voter
data, including voter identity would solve much if not all issues
regarding verifiability, however would that not also restrict the use of
such a system to topics that have no political or social consequences ?
Otherwise it seems that the removal of secrecy/anonymity would be
extremely problematic if not out-right dangerous. The reverse,
strengthening secrecy at the cost of verifiability (as described by
Edwin Chu ) sounds like an interesting approach, especially in places
like HK, but would of course (as Edwin mentions) not do to elect
representation.

- Ruben

On 02/28/2013 04:56 AM, Michael Allan wrote:
> Replying to Rich, Rubin and Edwin:
> 
> Rich Kulawiec said:
>> It won't work.  Until the bot/zombie is solved, online voting is a
>> non-starter, since any election worthy of being stolen can be.  It
>> doesn't matter what you do on the server side: you can construct as
>> elaborate and clever and secure an infrastructure as you
>> wish...because on the client side, there is no way to ensure that
>> what the user sees is what's actually happening. ...
> 
> The solution I would offer isn't fully elaborated in the proposal,
> but it's indicated here:
> 
>>> ... We'll begin with voting forms that are fully public; those are
>>> the simplest to handle and they allow for unrestricted technical
>>> freedom among providers. ...
> 
> What I mean is full disclosure of all voting data, including voter
> identity and credentials. This would make verification of the results
> relatively easy vs. private forms of voting, such as secret ballot. I
> guess zombies in particular would be detected when people wondered why
> friends and such were voting uncharacteristically, or seemed unaware
> of their own vote placements, and so forth.
> 
> Also (not mentioned in the proposal) we're mostly concerned here with
> continuous voting media that allow for unrestricted vote shifting.
> These are not for decision purposes, but rather continuous primaries
> and consensus making efforts (like the "mock poll" that Edwin relates)
> that run long in advance of any decision. So the victim of the zombie
> can correct her votes once she gets to a secure client. Any damage
> that was done is likely to be short lived.
> 
> 
> Ruben Bloemgarten said:
>> Apart from a child-like enthusiasm for anything with buttons and
>> shiny lights, can anyone here explain to me what the intended
>> benefits of electronic voting over paper voting would be ?
> 
> One benefit is the facility of continuous voting (mentioned above),
> which would be relatively difficult to implement with paper votes. A
> possible application of this is described in the second proposal I
> posted. There it's used to structure public discourses that guide
> decisions toward legitimacy and validity.
> https://mailman.stanford.edu/pipermail/liberationtech/2013-February/007357.html
> 
> The larger benefit is public autonomy. I don't know of any means of
> attaining that goal aside from proposals such as these, which depend
> on electronic voting. (If you see any faults in the 2nd proposal, or
> have questions, please reply to the other thread.)
> 
> 
> Edwin Chu said:
>> The goal of this "civic referendum" is never to officially elect the
>> governor. By providing an unofficial election result which has
>> higher creditability and legitimacy than the official result from
>> the Election Committee, we hope to discredit the elected CE and the
>> Election Committee, demonstrating the demand for a truth universal
>> suffrage, and to push the democratic development forward.
>  
> That's fascinating, because I've been designing software for much the
> same purpose for years now. In some ways, the problem is even worse
> here in North America, because we don't even realize (it seems to me)
> how little freedom we have in political matters. It's perhaps too
> embarrassing for us to admit.
> 
>> Because the mock poll is funded by the community, we have no way to
>> set up enough physical voting stations and voter registry comparable
>> to the election organized by the government. Indeed, it is difficult
>> to prevent double voting in such "poor man's election". Some
>> supporters of the CCP criticized the mock poll for lack of
>> creditability with these reasons.
>>
>> Due to the lack of resource, internet voting might be one of the
>> only means to allow most Hong Kong citizen to participate in a mock
>> poll.  What we need is a deployable solution to allow people to vote
>> anonymously, either online or offline, at the same time provides
>> enough creditability and verifiability. A perfect solution is not
>> necessary because the goal isn't to replace the official paper
>> votes.
> 
> One possible way forward (again) is full disclosure of all voting and
> registration data through which public opinion is expressed. Whatever
> else we might say abou

Re: [liberationtech] Designing the best network infrastructure for a.Human Rights NGO

[Bill Woodcock]

Ah, yes, those expensive man-hours.  Security is so much easier when you don't 
give it time and attention.  It also doesn't work. 


-Bill


On Feb 28, 2013, at 8:09, "anonymous2...@nym.hush.com" 
 wrote:

> I knew this was coming at some point. Yes I am starting with 
> Windows, it's more functional (awaits incoming) and costs less in 
> terms of expensive man hours (the hidden cost vs software) for an 
> Linux guru to run and monitor the network.
> 
> On Thu, 28 Feb 2013 13:03:00 + "Bill Woodcock"  
> wrote:
>> You want to do this securely, and you're _starting_ with Windows?
>> 
>> 
>>   -Bill
>> 
>> 
>> On Feb 28, 2013, at 7:40, "anonymous2...@nym.hush.com" 
>>  wrote:
>> 
>>> Hi, 
>>> We are a human rights NGO that is looking to invest in the best 
>>> possible level of network security (protection from high-level 
>>> cyber-security threats, changing circumvention/proxy to protect
>> IP 
>>> address etc, encryption on endpoints and server, IDS/Physical
>> and 
>>> Software Firewall/File Integrity Monitoring, Mobile Device 
>>> Management, Honeypots) we can get for a our internal network. I
>> was 
>>> wondering if people would critique the following network, add 
>>> comments, suggestions and alternative methods/pieces of
>> software. 
>>> (Perhaps if it goes well we could make a short paper out of it,
>> for 
>>> others to use.)
>>> 
>>> -Windows 2012 Server
>>> -VMWare virtual machines running Win 8 for remote access
>>> -Industry standard hardening and lock down of all OS systems.
>>> -Constantly changing proxies
>>> -PGP email with BES
>>> -Cryptocard tokens
>>> -Sophos Enterprise Protection, Encryption and Patch management
>>> -Sophos mobile management
>>> -Encrypted voice calls for mobile and a more secure alternative
>> to 
>>> Skype via Silent Circle.
>>> -TrueCrypt on all drives - set to close without use after a 
>>> specific time
>>> -Easily controlled kill commands
>>> -False and poison pill files
>>> -Snort IDS
>>> -Honeypots
>>> -Tripwire
>>> -Cisco Network Appliance
>>> -No wifi
>>> -Strong physical protection in a liberal country as regards
>> human 
>>> rights
>>> 
>>> I know there are many other factors, good training, constant 
>>> monitoring, avoiding spearfishing, penetration testing, etc but
>> if 
>>> possible I would please like to keep the conversation on the 
>>> network design and software.
>>> 
>>> Thanks guys.
>>> -Anon
>>> 
>>> --
>>> Too many emails? Unsubscribe, change to digest, or change
>> password by emailing moderator at compa...@stanford.edu or 
>> changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> 
>> --
>> Too many emails? Unsubscribe, change to digest, or change password 
>> by emailing moderator at compa...@stanford.edu or changing your 
>> settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a.Human Rights NGO

[anonymous2013]

I knew this was coming at some point. Yes I am starting with 
Windows, it's more functional (awaits incoming) and costs less in 
terms of expensive man hours (the hidden cost vs software) for an 
Linux guru to run and monitor the network.

On Thu, 28 Feb 2013 13:03:00 + "Bill Woodcock"  
wrote:
>You want to do this securely, and you're _starting_ with Windows?
>
>
>-Bill
>
>
>On Feb 28, 2013, at 7:40, "anonymous2...@nym.hush.com" 
> wrote:
>
>> Hi, 
>> We are a human rights NGO that is looking to invest in the best 
>> possible level of network security (protection from high-level 
>> cyber-security threats, changing circumvention/proxy to protect 
>IP 
>> address etc, encryption on endpoints and server, IDS/Physical 
>and 
>> Software Firewall/File Integrity Monitoring, Mobile Device 
>> Management, Honeypots) we can get for a our internal network. I 
>was 
>> wondering if people would critique the following network, add 
>> comments, suggestions and alternative methods/pieces of 
>software. 
>> (Perhaps if it goes well we could make a short paper out of it, 
>for 
>> others to use.)
>> 
>> -Windows 2012 Server
>> -VMWare virtual machines running Win 8 for remote access
>> -Industry standard hardening and lock down of all OS systems.
>> -Constantly changing proxies
>> -PGP email with BES
>> -Cryptocard tokens
>> -Sophos Enterprise Protection, Encryption and Patch management
>> -Sophos mobile management
>> -Encrypted voice calls for mobile and a more secure alternative 
>to 
>> Skype via Silent Circle.
>> -TrueCrypt on all drives - set to close without use after a 
>> specific time
>> -Easily controlled kill commands
>> -False and poison pill files
>> -Snort IDS
>> -Honeypots
>> -Tripwire
>> -Cisco Network Appliance
>> -No wifi
>> -Strong physical protection in a liberal country as regards 
>human 
>> rights
>> 
>> I know there are many other factors, good training, constant 
>> monitoring, avoiding spearfishing, penetration testing, etc but 
>if 
>> possible I would please like to keep the conversation on the 
>> network design and software.
>> 
>> Thanks guys.
>> -Anon
>> 
>> --
>> Too many emails? Unsubscribe, change to digest, or change 
>password by emailing moderator at compa...@stanford.edu or 
>changing your settings at 
>https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>--
>Too many emails? Unsubscribe, change to digest, or change password 
>by emailing moderator at compa...@stanford.edu or changing your 
>settings at 
>https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Designing the best network infrastructure for a.Human Rights NGO

[Bill Woodcock]

You want to do this securely, and you're _starting_ with Windows?


-Bill


On Feb 28, 2013, at 7:40, "anonymous2...@nym.hush.com" 
 wrote:

> Hi, 
> We are a human rights NGO that is looking to invest in the best 
> possible level of network security (protection from high-level 
> cyber-security threats, changing circumvention/proxy to protect IP 
> address etc, encryption on endpoints and server, IDS/Physical and 
> Software Firewall/File Integrity Monitoring, Mobile Device 
> Management, Honeypots) we can get for a our internal network. I was 
> wondering if people would critique the following network, add 
> comments, suggestions and alternative methods/pieces of software. 
> (Perhaps if it goes well we could make a short paper out of it, for 
> others to use.)
> 
> -Windows 2012 Server
> -VMWare virtual machines running Win 8 for remote access
> -Industry standard hardening and lock down of all OS systems.
> -Constantly changing proxies
> -PGP email with BES
> -Cryptocard tokens
> -Sophos Enterprise Protection, Encryption and Patch management
> -Sophos mobile management
> -Encrypted voice calls for mobile and a more secure alternative to 
> Skype via Silent Circle.
> -TrueCrypt on all drives - set to close without use after a 
> specific time
> -Easily controlled kill commands
> -False and poison pill files
> -Snort IDS
> -Honeypots
> -Tripwire
> -Cisco Network Appliance
> -No wifi
> -Strong physical protection in a liberal country as regards human 
> rights
> 
> I know there are many other factors, good training, constant 
> monitoring, avoiding spearfishing, penetration testing, etc but if 
> possible I would please like to keep the conversation on the 
> network design and software.
> 
> Thanks guys.
> -Anon
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Designing the best network infrastructure for a Human Rights NGO

[anonymous2013]

Hi, 
We are a human rights NGO that is looking to invest in the best 
possible level of network security (protection from high-level 
cyber-security threats, changing circumvention/proxy to protect IP 
address etc, encryption on endpoints and server, IDS/Physical and 
Software Firewall/File Integrity Monitoring, Mobile Device 
Management, Honeypots) we can get for a our internal network. I was 
wondering if people would critique the following network, add 
comments, suggestions and alternative methods/pieces of software. 
(Perhaps if it goes well we could make a short paper out of it, for 
others to use.)

-Windows 2012 Server
-VMWare virtual machines running Win 8 for remote access
-Industry standard hardening and lock down of all OS systems.
-Constantly changing proxies
-PGP email with BES
-Cryptocard tokens
-Sophos Enterprise Protection, Encryption and Patch management
-Sophos mobile management
-Encrypted voice calls for mobile and a more secure alternative to 
Skype via Silent Circle.
-TrueCrypt on all drives - set to close without use after a 
specific time
-Easily controlled kill commands
-False and poison pill files
-Snort IDS
-Honeypots
-Tripwire
-Cisco Network Appliance
-No wifi
-Strong physical protection in a liberal country as regards human 
rights

I know there are many other factors, good training, constant 
monitoring, avoiding spearfishing, penetration testing, etc but if 
possible I would please like to keep the conversation on the 
network design and software.

Thanks guys.
-Anon

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech