[liberationtech] Designing the best network infrastructure for a.Human Rights NGO

SiNA Rabbani sina at redteam.io
Thu Feb 28 06:06:00 PST 2013 

You are listing a lot of technology creating a very complex system. My 2
cents is that you want to design your network as simple as possible, with
the least number of features and access points.

I'd like to bring your attention to hidden services from The Tor Project,
you can achieve end-to-end encryption without relying on the traditional CA
mode/business which is very broken today.

2 factor authentication along with password logins is also recommended.

My #1 concern is that all these technologies require experts to install and
maintain, any plans there??

Finally, compartmentalization is your best friend, assume that despite your
fancy snort box... You are going to get hacked and be ready for it!

Good luck!
--SiNA
On Feb 28, 2013 5:43 AM, <anonymous2013 at nym.hush.com> wrote:

> Frankly your whats wrong with a small minority of the people on
> LibTech. NGO's have to balance cost, security, people, user needs,
> current infrastructure, software/hardware donation programs, man
> hours etc etc...Every idiot knows Linux is more secure in many ways
> than Windows yet sometimes other factors come into play that
> require the use of MS.
>
> This topic is a genuine topic that has not been looked at to my
> knowledge by the movement - we have tons of material on VOIP
> safety, encryption, device management etc but not much on actually
> network design...I hope your glad that your smart-ass comments have
> dragged it sideways within the first two posts, to the detriment of
> the group.
>
> I have no interest in being trolled. Is there anyone on the list
> that wants to talk through this and give me some direct advice on
> how to implement a safe NGO operational network?
>
> On Thu, 28 Feb 2013 13:35:26 +0000 "Bill Woodcock" <woody at pch.net>
> wrote:
> >Sorry, thought you'd asked for advice about the "best possible"
> >way to do it. Didn't realize you meant "best possible with no time
> >or attention."  But, wait, that's not quite it either, is it?  You
> >meant that you don't want to invest _your_ time and attention, but
> >you think people on the list can solve that for you by
> >contributing _our_ time and attention?  I'm not sure it works that
> >way, but perhaps someone who's feeling more charitable than I am
> >right now can suggest the "best possible" solution that requires
> >none of your time and attention and runs on Windows.
> >
> >Since I'm now 34 hours into an Ottawa-bound itinerary for the CIF,
> >a tip of the hat to Canada: "As secure as possible, under the
> >circumstances."
> >
> >                -Bill
> >
> >
> >On Feb 28, 2013, at 8:22, "anonymous2013 at nym.hush.com"
> ><anonymous2013 at nym.hush.com> wrote:
> >
> >> Can we please get back to the issue at hand....
> >>
> >> On Thu, 28 Feb 2013 13:16:03 +0000 "Bill Woodcock"
> ><woody at pch.net>
> >> wrote:
> >>> Ah, yes, those expensive man-hours.  Security is so much easier
> >
> >>> when you don't give it time and attention.  It also doesn't
> >work.
> >>>
> >>>
> >>>               -Bill
> >>>
> >>>
> >>> On Feb 28, 2013, at 8:09, "anonymous2013 at nym.hush.com"
> >>> <anonymous2013 at nym.hush.com> wrote:
> >>>
> >>>> I knew this was coming at some point. Yes I am starting with
> >>>> Windows, it's more functional (awaits incoming) and costs less
> >>> in
> >>>> terms of expensive man hours (the hidden cost vs software) for
> >>> an
> >>>> Linux guru to run and monitor the network.
> >>>>
> >>>> On Thu, 28 Feb 2013 13:03:00 +0000 "Bill Woodcock"
> >>> <woody at pch.net>
> >>>> wrote:
> >>>>> You want to do this securely, and you're _starting_ with
> >>> Windows?
> >>>>>
> >>>>>
> >>>>>              -Bill
> >>>>>
> >>>>>
> >>>>> On Feb 28, 2013, at 7:40, "anonymous2013 at nym.hush.com"
> >>>>> <anonymous2013 at nym.hush.com> wrote:
> >>>>>
> >>>>>> Hi,
> >>>>>> We are a human rights NGO that is looking to invest in the
> >>> best
> >>>>>> possible level of network security (protection from high-
> >level
> >>>
> >>>>>> cyber-security threats, changing circumvention/proxy to
> >>> protect
> >>>>> IP
> >>>>>> address etc, encryption on endpoints and server,
> >IDS/Physical
> >>>>> and
> >>>>>> Software Firewall/File Integrity Monitoring, Mobile Device
> >>>>>> Management, Honeypots) we can get for a our internal
> >network.
> >>> I
> >>>>> was
> >>>>>> wondering if people would critique the following network,
> >add
> >>>>>> comments, suggestions and alternative methods/pieces of
> >>>>> software.
> >>>>>> (Perhaps if it goes well we could make a short paper out of
> >>> it,
> >>>>> for
> >>>>>> others to use.)
> >>>>>>
> >>>>>> -Windows 2012 Server
> >>>>>> -VMWare virtual machines running Win 8 for remote access
> >>>>>> -Industry standard hardening and lock down of all OS
> >systems.
> >>>>>> -Constantly changing proxies
> >>>>>> -PGP email with BES
> >>>>>> -Cryptocard tokens
> >>>>>> -Sophos Enterprise Protection, Encryption and Patch
> >management
> >>>>>> -Sophos mobile management
> >>>>>> -Encrypted voice calls for mobile and a more secure
> >>> alternative
> >>>>> to
> >>>>>> Skype via Silent Circle.
> >>>>>> -TrueCrypt on all drives - set to close without use after a
> >>>>>> specific time
> >>>>>> -Easily controlled kill commands
> >>>>>> -False and poison pill files
> >>>>>> -Snort IDS
> >>>>>> -Honeypots
> >>>>>> -Tripwire
> >>>>>> -Cisco Network Appliance
> >>>>>> -No wifi
> >>>>>> -Strong physical protection in a liberal country as regards
> >>>>> human
> >>>>>> rights
> >>>>>>
> >>>>>> I know there are many other factors, good training, constant
> >
> >>>>>> monitoring, avoiding spearfishing, penetration testing, etc
> >>> but
> >>>>> if
> >>>>>> possible I would please like to keep the conversation on the
> >
> >>>>>> network design and software.
> >>>>>>
> >>>>>> Thanks guys.
> >>>>>> -Anon
> >>>>>>
> >>>>>> --
> >>>>>> Too many emails? Unsubscribe, change to digest, or change
> >>>>> password by emailing moderator at companys at stanford.edu or
> >>>>> changing your settings at
> >>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>>>>
> >>>>> --
> >>>>> Too many emails? Unsubscribe, change to digest, or change
> >>> password
> >>>>> by emailing moderator at companys at stanford.edu or changing
> >your
> >>>
> >>>>> settings at
> >>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130228/6e8c7d1e/attachment.html>

More information about the liberationtech mailing list