wiki:org/meetings/2015SummerDevMeeting/Notes/OpSec101
  • We should have hardware for people who have to use Windows,or touch critical systems.
  • We should probably formalize what our different security centers are, what levels of security we have.
  • We should figure out who our most sensitive users?
  • Work better with contracting companies
  • Protecting PII is most important. We should isolate this stuff to HR.
  • Our recommendations should cover: OSX/linux/windows/phone
    • should have a good security 101 guide with recommendations
    • also recommendation for what NOT to use
  • see eff surveillance self-defense toolkit
  • try to piggyback off somebody else
    • The PRISM break page gives some advice to alternative software.
    • (Nick has also received offline recommendations from a few people about training/standards.)
  • tutor new people
    • We should do initial training for everybody who touches sensitive info.
  • can we get a security audit? Should we?
  • We need Need a better passthrough system for anonymous employees/contractors, minimize those who know.
  • admins who do admin stuff should maintain separate admin laptop? Buy them some?
  • should we require root /admin/whatnot on different laptops? Undecided.
  • Should we declare a minimum level of hardening? Undecided.
  • Use VMs for isolation of activities at least if not laptops.
  • Tutorial on vbox for folks? Is it usable enough?
  • Parallels for less technical folks Is it usable enough?
  • Transition from noplace to somewhere.
  • DO we monitor starttls failures?
    • Examine starttls status
  • It would be nice to do multiparty XMPP with our own server.
  • Firstlook set up their own brand-new security practices.
    • Sue can make the introduction.
    • They could help us!
  • Need an actual training process!
  • We need an SVN plan.
    • Sparkleshare? How's that?
    • Sandstorm?
    • Pruning stuff.
    • Prune once every 6 months?
  • Send big writeup to tor-internal
  • Recommend textsecure and redphone to all?
  • GPG training, how?
  • FDE encryption, how?
  • Can we pay contractors and employees in bitcoin?
    • Ask EFF how! We hear they do.
  • Should we have peer trainings?!?
  • Should we maintain company laptops? How?
  • peer support + recommendations!
  • extra training and handholding available as needed!
  • Be clear: we aren't trying to shame you; we're trying to make you and the rest of us safer.
  • Elicitation sensitivity training?
Last modified 3 years ago Last modified on Oct 8, 2015, 1:52:16 PM