Changes between Version 2 and Version 3 of org/meetings/2015SummerDevMeeting/Notes/OpSec101


Ignore:
Timestamp:
Oct 8, 2015, 1:52:16 PM (4 years ago)
Author:
nickm
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • org/meetings/2015SummerDevMeeting/Notes/OpSec101

    v2 v3  
    1 ==== These are nick's quick notes, which Nick still must clean up and explain!  Come to nick with questions. Bug nick if these aren't turned into something readable RSN
    21
     2- We should have hardware for people who have to use Windows,or touch critical systems.
    33
    4 - separate tor hw for windows/central folks
     4- We should probably formalize what our different security centers are, what levels of security we have.
    55
    6 
    7 - can we do different levels/centers of security?
    8 
    9 - Most sensitive users?
     6- We should figure out who our most sensitive users?
    107
    118- Work better with contracting companies
    129
    13 - Protecting PII is most important.
     10- Protecting PII is most important.  We should isolate this stuff to HR.
    1411
    1512
    16 - OSX/linux/windows/phone
     13- Our recommendations should cover: OSX/linux/windows/phone
    1714  - should have a good security 101 guide with recommendations
    1815  - also recommendation for what NOT to use
     
    2118  - try to piggyback off somebody else
    2219    - The [https://prism-break.org/ PRISM break page] gives some advice to alternative software.
     20    - (Nick has also received offline recommendations from a few people about training/standards.)
    2321
    2422  - tutor new people
     23     - We should do initial training for everybody who touches sensitive info.
    2524
    26 - can we get a security audit?
     25- can we get a security audit?  Should we?
    2726
    28 - BUY TOR HW FOR THESE FOLKS.
    29 
    30 - Need a better passthrough system for anonymous employees, minimize those who
    31   know
     27- We need Need a better passthrough system for anonymous employees/contractors, minimize those who
     28  know.
    3229
    3330- admins who do admin stuff should maintain separate admin laptop? Buy them
    3431  some?
    3532
    36 - should we require root /admin/whatnot on different laptops?
     33- should we require root /admin/whatnot on different laptops?  Undecided.
    3734
    38 - Should we declare a minimum level of hardening?
     35- Should we declare a minimum level of hardening? Undecided.
    3936
    4037- Use VMs for isolation of activities at least if not laptops.
    4138
    42 - Tutorial on vbox for folks?
     39- Tutorial on vbox for folks? Is it usable enough?
    4340
    44 - Parallels for less technical folks
     41- Parallels for less technical folks Is it usable enough?
    4542
    4643- Transition from noplace to somewhere.
    4744
    4845- DO we monitor starttls failures?
     46  - Examine starttls status
    4947
    50 - Examine starttls status
    51 
    52 - Multiparty XMPP with our own server.
     48- It would be nice to do multiparty XMPP with our own server.
    5349
    5450- Firstlook set up their own brand-new security practices.
    5551       - Sue can make the introduction.
     52       - They could help us!
    5653
    5754- Need an actual training process!
    5855
    5956- We need an SVN plan.
    60 
    6157   - Sparkleshare?  How's that?
    62 
    6358   - Sandstorm?
    64 
    6559   - Pruning stuff.
     60   - Prune once every 6 months?
    6661
    6762- Send big writeup to tor-internal
     
    7469
    7570- Can we pay contractors and employees in bitcoin?
    76    - Ask EFF how!
     71   - Ask EFF how!  We hear they do.
    7772
    7873- Should we have peer trainings?!?
     
    8479  - extra training and handholding available as needed!
    8580
    86 - Be clear: we aren't trying to shame you we're trying to make you
     81- Be clear: we aren't trying to shame you; we're trying to make you
    8782  and the rest of us safer.
    8883