[liberationtech] Designing the best network infrastructure for a.Human Rights NGO

Thu Feb 28 05:58:20 PST 2013

I'd personally recommend the Harding guide from the NSA, they know
their stuff. As for the Linux brigade, a Bradley secured Linux install
that is poorly managed is not better then a decently managed Linux
distro. I have to go look at some of the products you wrote down, but
this looks like a decent shopping list for a reasonably secure
environment.

On Mar 1, 2013, at 2:43 AM, "anonymous2013 at nym.hush.com"
<anonymous2013 at nym.hush.com> wrote:

> Frankly your whats wrong with a small minority of the people on
> LibTech. NGO's have to balance cost, security, people, user needs,
> current infrastructure, software/hardware donation programs, man
> hours etc etc...Every idiot knows Linux is more secure in many ways
> than Windows yet sometimes other factors come into play that
> require the use of MS.
>
> This topic is a genuine topic that has not been looked at to my
> knowledge by the movement - we have tons of material on VOIP
> safety, encryption, device management etc but not much on actually
> network design...I hope your glad that your smart-ass comments have
> dragged it sideways within the first two posts, to the detriment of
> the group.
>
> I have no interest in being trolled. Is there anyone on the list
> that wants to talk through this and give me some direct advice on
> how to implement a safe NGO operational network?
>
> On Thu, 28 Feb 2013 13:35:26 +0000 "Bill Woodcock" <woody at pch.net>
> wrote:
>> Sorry, thought you'd asked for advice about the "best possible"
>> way to do it. Didn't realize you meant "best possible with no time
>> or attention."  But, wait, that's not quite it either, is it?  You
>> meant that you don't want to invest _your_ time and attention, but
>> you think people on the list can solve that for you by
>> contributing _our_ time and attention?  I'm not sure it works that
>> way, but perhaps someone who's feeling more charitable than I am
>> right now can suggest the "best possible" solution that requires
>> none of your time and attention and runs on Windows.
>>
>> Since I'm now 34 hours into an Ottawa-bound itinerary for the CIF,
>> a tip of the hat to Canada: "As secure as possible, under the
>> circumstances."
>>
>>               -Bill
>>
>>
>> On Feb 28, 2013, at 8:22, "anonymous2013 at nym.hush.com"
>> <anonymous2013 at nym.hush.com> wrote:
>>
>>> Can we please get back to the issue at hand....
>>>
>>> On Thu, 28 Feb 2013 13:16:03 +0000 "Bill Woodcock"
>> <woody at pch.net>
>>> wrote:
>>>> Ah, yes, those expensive man-hours.  Security is so much easier
>>
>>>> when you don't give it time and attention.  It also doesn't
>> work.
>>>>
>>>>
>>>>              -Bill
>>>>
>>>>
>>>> On Feb 28, 2013, at 8:09, "anonymous2013 at nym.hush.com"
>>>> <anonymous2013 at nym.hush.com> wrote:
>>>>
>>>>> I knew this was coming at some point. Yes I am starting with
>>>>> Windows, it's more functional (awaits incoming) and costs less
>>>> in
>>>>> terms of expensive man hours (the hidden cost vs software) for
>>>> an
>>>>> Linux guru to run and monitor the network.
>>>>>
>>>>> On Thu, 28 Feb 2013 13:03:00 +0000 "Bill Woodcock"
>>>> <woody at pch.net>
>>>>> wrote:
>>>>>> You want to do this securely, and you're _starting_ with
>>>> Windows?
>>>>>>
>>>>>>
>>>>>>             -Bill
>>>>>>
>>>>>>
>>>>>> On Feb 28, 2013, at 7:40, "anonymous2013 at nym.hush.com"
>>>>>> <anonymous2013 at nym.hush.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>> We are a human rights NGO that is looking to invest in the
>>>> best
>>>>>>> possible level of network security (protection from high-
>> level
>>>>
>>>>>>> cyber-security threats, changing circumvention/proxy to
>>>> protect
>>>>>> IP
>>>>>>> address etc, encryption on endpoints and server,
>> IDS/Physical
>>>>>> and
>>>>>>> Software Firewall/File Integrity Monitoring, Mobile Device
>>>>>>> Management, Honeypots) we can get for a our internal
>> network.
>>>> I
>>>>>> was
>>>>>>> wondering if people would critique the following network,
>> add
>>>>>>> comments, suggestions and alternative methods/pieces of
>>>>>> software.
>>>>>>> (Perhaps if it goes well we could make a short paper out of
>>>> it,
>>>>>> for
>>>>>>> others to use.)
>>>>>>>
>>>>>>> -Windows 2012 Server
>>>>>>> -VMWare virtual machines running Win 8 for remote access
>>>>>>> -Industry standard hardening and lock down of all OS
>> systems.
>>>>>>> -Constantly changing proxies
>>>>>>> -PGP email with BES
>>>>>>> -Cryptocard tokens
>>>>>>> -Sophos Enterprise Protection, Encryption and Patch
>> management
>>>>>>> -Sophos mobile management
>>>>>>> -Encrypted voice calls for mobile and a more secure
>>>> alternative
>>>>>> to
>>>>>>> Skype via Silent Circle.
>>>>>>> -TrueCrypt on all drives - set to close without use after a
>>>>>>> specific time
>>>>>>> -Easily controlled kill commands
>>>>>>> -False and poison pill files
>>>>>>> -Snort IDS
>>>>>>> -Honeypots
>>>>>>> -Tripwire
>>>>>>> -Cisco Network Appliance
>>>>>>> -No wifi
>>>>>>> -Strong physical protection in a liberal country as regards
>>>>>> human
>>>>>>> rights
>>>>>>>
>>>>>>> I know there are many other factors, good training, constant
>>
>>>>>>> monitoring, avoiding spearfishing, penetration testing, etc
>>>> but
>>>>>> if
>>>>>>> possible I would please like to keep the conversation on the
>>
>>>>>>> network design and software.
>>>>>>>
>>>>>>> Thanks guys.
>>>>>>> -Anon
>>>>>>>
>>>>>>> --
>>>>>>> Too many emails? Unsubscribe, change to digest, or change
>>>>>> password by emailing moderator at companys at stanford.edu or
>>>>>> changing your settings at
>>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>>>
>>>>>> --
>>>>>> Too many emails? Unsubscribe, change to digest, or change
>>>> password
>>>>>> by emailing moderator at companys at stanford.edu or changing
>> your
>>>>
>>>>>> settings at
>>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech