<div dir="ltr">Have a look at
<a href="https://openappstack.net/">https://openappstack.net/</a> for a method to bootstrap the launching of a cluster of self-hosted interlinked productivity tools (RocketChat, NextCloud, OnlyOffice) with centralised user management. <div>Neil</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 25 Jun 2020 at 06:00, Julian Oliver <<a href="mailto:julian@julianoliver.com">julian@julianoliver.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">In Extinction Rebellion we increasingly use a self-hosted deployment of<br>
Cryptpad, for simple click-and-go cloud-like document editing and storage,<br>
encrypted end-to-end. Here's the developer's own deployment:<br>
<br>
- <a href="https://cryptpad.fr" rel="noreferrer" target="_blank">https://cryptpad.fr</a><br>
<br>
Cryptpad however doesn't offer a complete replacement for something like<br>
Nextcloud, which allows for the upload of diverse content/mimetypes (not just<br>
documents), with click-to-view for video and PDF documents. Nextcloud does offer<br>
an encryption addon now that is quite interesting, for full client-side E2EE:<br>
<br>
- <a href="https://nextcloud.com/encryption/" rel="noreferrer" target="_blank">https://nextcloud.com/encryption/</a><br>
<br>
I think Nextcloud on an AES-XTS 512bit encrypted filesystem, on a sufficiently<br>
capable dedicated community-owned host/server, and optionally with that same<br>
client-side E2EE, is a great solution and is working well for the activist<br>
communities I support. Files and folders can be shared as public links as<br>
desired, with optional password protection. <br>
<br>
For a further degree of security make it solely available over VPN (Wireguard or<br>
OpenVPN, on the same host) with your serverside firewall (ufw, iptables, etc),<br>
passwords in an offline encrypted wallet (KeePass, KeePassXC, etc), TLSv1.2 and<br>
1.3 only. Consider containerisation for isolation from the underlying<br>
filesystem, etc. You may also consider CoLo and using epoxy resin to glue the<br>
RAM into the slot to mitigate the key-theft from RAM (physical) vector.<br>
<br>
Globally warm regards,<br>
<br>
Julian<br>
<br>
..on Wed, Jun 24, 2020 at 07:20:46PM -0700, Marc Sunet wrote:<br>
> I'd be interested in learning more about that setup.<br>
> <br>
> Something else you could do is to encrypt your files before syncing them<br>
> with your cloud of choice. But then we're also complicating the<br>
> situation beyond what an average person would be able to handle.<br>
> <br>
> /> The crux of it is a lot of systems, like nest cameras, sacrifice<br>
> security for simplicity for end users by sticking cloud in the middle to<br>
> avoid dealing with VPNs or port forwarding, etc./<br>
> <br>
> That's a nice way of putting it :) Those guys have in the past shipped<br>
> cameras with default passwords, for example, which is sacrificing<br>
> security for simplicity well beyond what is required. You could, for<br>
> example, have the user go through a one-time setup that creates a random<br>
> key with which the video is encrypted. Of course, that would mean the<br>
> company would no longer have access to the video streams anymore and put<br>
> and end to their surveillance economy, which is probably what they were<br>
> after to begin with (I can imagine these companies harvesting hours and<br>
> hours of video to train face recognition software and engage in other<br>
> such very ethical endeavors.)<br>
> <br>
> On 6/20/20 11:45 AM, Yosem Companys wrote:<br>
> > <a href="mailto:voss90210@protonmail.com" target="_blank">voss90210@protonmail.com</a> wrote: <br>
> ><br>
> > In my opinion, there is no such thing as a secure cloud. This is<br>
> > because whatever is on the other end of the connection as well as<br>
> > what might lie in between is unknown. <br>
> ><br>
> > <br>
> ><br>
> > In a best case scenario where you have an encrypted, secure<br>
> > connection to a cloud system, it is unknown how many people have<br>
> > access to that system, whether or not it has been breached, etc. <br>
> ><br>
> > <br>
> ><br>
> > Additionally, since it is a shared system with thousands or even<br>
> > millions of other users, each of those users is a potential vector<br>
> > for breach or other data loss/access. <br>
> ><br>
> > <br>
> ><br>
> > As such, we engineer all our systems to be on networks w control<br>
> > and access them by vpn from offsite. This ranges from such simple<br>
> > things as surveillance video or access control systems to storage<br>
> > and other systems. <br>
> ><br>
> > <br>
> ><br>
> > Depending on the type of system, they are either at a client's<br>
> > site and accessed by the client from external places by direct or<br>
> > VPN access. (systems w build for clients) <br>
> ><br>
> > <br>
> ><br>
> > Or with our own systems they are on our sites and accessed either<br>
> > directly or via VPN. <br>
> ><br>
> > <br>
> ><br>
> > If you were setting up something for shared file access, I would<br>
> > put it on a server you own at a site whose network you control and<br>
> > then make it accessible to user by putting it in either of the<br>
> > following places:<br>
> ><br>
> > <br>
> ><br>
> > 1) A DMZ with port forwarded access (good for things like web<br>
> > developers, etc); or, <br>
> ><br>
> > 2) The main LAN or a sub-LAN and accessible by VPN from outside. <br>
> ><br>
> > <br>
> ><br>
> > The crux of it is a lot of systems, like nest cameras, sacrifice<br>
> > security for simplicity for end users by sticking cloud in the<br>
> > middle to avoid dealing with VPNs or port forwarding, etc. <br>
> ><br>
> > <br>
> ><br>
> > That ease of initial setup compromises the level of security long<br>
> > term, so we never do it. <br>
> ><br>
> > <br>
> ><br>
> > Is it a bit more hassle? yes. However, we've never had a breach<br>
> > in 3 decades.<br>
> ><br>
> > <br>
> ><br>
> > If anyone on the list needs help setting up something like this I<br>
> > can help. It's really easy once you know how.<br>
> ><br>
> > <br>
> ><br>
> > I've actually been thinking about developing a "ZeroCloud"<br>
> > certification and offering it to products with no middle component<br>
> > as such - a simmering idea at present. <br>
> ><br>
> ><br>
> ><br>
> > On Sat, Jun 20, 2020 6:24 PM, fuzzyTew <a href="mailto:fuzzytew@gmail.com" target="_blank">fuzzytew@gmail.com</a><br>
> > <mailto:<a href="mailto:fuzzytew@gmail.com" target="_blank">fuzzytew@gmail.com</a>> wrote:<br>
> ><br>
> > git-annex assistant is a gui for git-annex which automates file<br>
> > syncing using a git repository to store hashes and locations and<br>
> > history of those things changing. <br>
> > <a href="https://git-annex.branchable.com/" rel="noreferrer" target="_blank">https://git-annex.branchable.com/</a> . It's written in Haskell. I<br>
> > use it manually on the command line which works well enough; I<br>
> > don't use the daemon or gui but they exist.<br>
> ><br>
> > On Sat, Jun 20, 2020, 1:34 PM Yosem Companys<br>
> > <<a href="mailto:ycompanys@alumni.stanford.edu" target="_blank">ycompanys@alumni.stanford.edu</a><br>
> > <mailto:<a href="mailto:ycompanys@alumni.stanford.edu" target="_blank">ycompanys@alumni.stanford.edu</a>>> wrote:<br>
> ><br>
> > That is the rub, isn't it?<br>
> ><br>
> > Thanks for the links, Marc!<br>
> ><br>
> ><br>
> ><br>
> > On Sat, Jun 20, 2020 5:11 PM, Marc Sunet <a href="mailto:msunet@shellblade.net" target="_blank">msunet@shellblade.net</a><br>
> > <mailto:<a href="mailto:msunet@shellblade.net" target="_blank">msunet@shellblade.net</a>> wrote:<br>
> ><br>
> > I do not have experience with this, but my go-to for these<br>
> > kinds of questions is often <a href="http://privacytools.io" rel="noreferrer" target="_blank">privacytools.io</a><br>
> > <<a href="http://privacytools.io" rel="noreferrer" target="_blank">http://privacytools.io</a>>:<br>
> ><br>
> > <a href="https://www.privacytools.io/providers/cloud-storage/" rel="noreferrer" target="_blank">https://www.privacytools.io/providers/cloud-storage/</a><br>
> ><br>
> > Currently the only one listed there is Nextcloud (ignore<br>
> > Keybase, sold to Zoom):<br>
> ><br>
> > <a href="https://nextcloud.com/providers/" rel="noreferrer" target="_blank">https://nextcloud.com/providers/</a><br>
> ><br>
> > You can self-host or rent storage. Based in Germany,<br>
> > GDPR-compliant and all. At the end of the day you're<br>
> > putting your files in someone else's servers though.<br>
> ><br>
> > Marc<br>
> ><br>
> > On 6/20/20 10:00 AM, Yosem Companys wrote:<br>
> >> I am especially interested in secure alternatives to<br>
> >> Google Drive that are both secure and convenient and in<br>
> >> your experience with these tools.<br>
> >><br>
> >> Thank you,<br>
> >> Yosem<br>
> >> upload image <br>
> >> Yosem Companys<br>
> >> President and CEO<br>
> >> Techlantis<br>
> >> M: (650) 796-1205<br>
> >> A: 2225 East Bayshore Road, Suite 200, Palo Alto, CA 94303<br>
> >> W: <a href="http://www.techlantis.com" rel="noreferrer" target="_blank">www.techlantis.com</a><br>
> >> <<a href="https://links91.mixmaxusercontent.com/5e196044087550002eab97f3/l/hDocLS2q2TACIvzCZ?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false" rel="noreferrer" target="_blank">https://links91.mixmaxusercontent.com/5e196044087550002eab97f3/l/hDocLS2q2TACIvzCZ?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false</a>>E: <a href="mailto:yosem@techlantis.com" target="_blank">yosem@techlantis.com</a><br>
> >> <<a href="https://links93.mixmaxusercontent.com/5e196044087550002eab97f3/l/e1udm8hBF3C2VlXO6?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false" rel="noreferrer" target="_blank">https://links93.mixmaxusercontent.com/5e196044087550002eab97f3/l/e1udm8hBF3C2VlXO6?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false</a>><br>
> >><br>
> >> facebook<br>
> >> <<a href="https://links99.mixmaxusercontent.com/5e196044087550002eab97f3/l/tc0Uk7cSRurJaoZuR?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false" rel="noreferrer" target="_blank">https://links99.mixmaxusercontent.com/5e196044087550002eab97f3/l/tc0Uk7cSRurJaoZuR?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false</a>>twitter<br>
> >> <<a href="https://links96.mixmaxusercontent.com/5e196044087550002eab97f3/l/5165ajlvujazJwVER?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false" rel="noreferrer" target="_blank">https://links96.mixmaxusercontent.com/5e196044087550002eab97f3/l/5165ajlvujazJwVER?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false</a>>linkedin<br>
> >> <<a href="https://links93.mixmaxusercontent.com/5e196044087550002eab97f3/l/KhnRbbZdCgXpqu7XQ?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false" rel="noreferrer" target="_blank">https://links93.mixmaxusercontent.com/5e196044087550002eab97f3/l/KhnRbbZdCgXpqu7XQ?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false</a>>instagram<br>
> >> <<a href="https://links92.mixmaxusercontent.com/5e196044087550002eab97f3/l/R2iYVxKGEuM3wMK1Z?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false" rel="noreferrer" target="_blank">https://links92.mixmaxusercontent.com/5e196044087550002eab97f3/l/R2iYVxKGEuM3wMK1Z?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false</a>><br>
> >><br>
> >> To schedule an appointment with me, please visit<br>
> >> <a href="https://calendly.com/yosem" rel="noreferrer" target="_blank">https://calendly.com/yosem</a><br>
> >> <<a href="https://links96.mixmaxusercontent.com/5e196044087550002eab97f3/l/UviUOQK15QPwceB43?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false" rel="noreferrer" target="_blank">https://links96.mixmaxusercontent.com/5e196044087550002eab97f3/l/UviUOQK15QPwceB43?messageId=I2xvmGl8Q8peKArlr&rn=gIUxkI&re=IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI&sc=false</a>>.<br>
> >><br>
> >><br>
> >><br>
> >><br>
> > -- <br>
> > GPG: 9C2A AF1D CC91 0A53 AB0A B6A1 C457 0E01 081F 8F91<br>
> ><br>
> > <a href="https://emailselfdefense.fsf.org/" rel="noreferrer" target="_blank">https://emailselfdefense.fsf.org/</a><br>
> ><br>
> > -- <br>
> > Liberationtech is public & archives are searchable from any<br>
> > major commercial search engine. Violations of list guidelines<br>
> > will get you moderated:<br>
> > <a href="https://lists.ghserv.net/mailman/listinfo/lt" rel="noreferrer" target="_blank">https://lists.ghserv.net/mailman/listinfo/lt</a>. Unsubscribe,<br>
> > change to digest mode, or change password by emailing<br>
> > <a href="mailto:lt-owner@lists.liberationtech.org" target="_blank">lt-owner@lists.liberationtech.org</a><br>
> > <mailto:<a href="mailto:lt-owner@lists.liberationtech.org" target="_blank">lt-owner@lists.liberationtech.org</a>>.<br>
> ><br>
> -- <br>
> GPG: 9C2A AF1D CC91 0A53 AB0A B6A1 C457 0E01 081F 8F91<br>
> <br>
> <a href="https://emailselfdefense.fsf.org/" rel="noreferrer" target="_blank">https://emailselfdefense.fsf.org/</a><br>
> <br>
<br>
<br>
<br>
<br>
> -- <br>
> Liberationtech is public & archives are searchable from any major commercial search engine. Violations of list guidelines will get you moderated: <a href="https://lists.ghserv.net/mailman/listinfo/lt" rel="noreferrer" target="_blank">https://lists.ghserv.net/mailman/listinfo/lt</a>. Unsubscribe, change to digest mode, or change password by emailing <a href="mailto:lt-owner@lists.liberationtech.org" target="_blank">lt-owner@lists.liberationtech.org</a>.<br>
<br>
<br>
-- <br>
Liberationtech is public & archives are searchable from any major commercial search engine. Violations of list guidelines will get you moderated: <a href="https://lists.ghserv.net/mailman/listinfo/lt" rel="noreferrer" target="_blank">https://lists.ghserv.net/mailman/listinfo/lt</a>. Unsubscribe, change to digest mode, or change password by emailing <a href="mailto:lt-owner@lists.liberationtech.org" target="_blank">lt-owner@lists.liberationtech.org</a>.</blockquote></div>