Written by Chris Nielsen
Febraury 11th is “Safer Internet Day” as declared by the UK based organization www.saferinternet.org.uk. We need to change our mindset about security and cival librties. In this fast paced high tech world we live in today everyone seems to want everything faster and cheaper and security seems to be one of the biggest areas neglected in the value chain. That is until you get violated.
Here are some real world threats and 10 things you can do to make a difference:
Examples like the recent Target Stores estimating nearly 70+ million credit cards were compromised, numerous identity theft cases in the news and the information that folks like Edward Snowden have exposed. Did you know the NSA and just about any crafty hacker with a purpose can completely access any of your electronic devices including turning on your cell phone/laptop mikes or cameras without you even knowing it? This in my mind can make interacting with cyber space much scarier than the “Wild Wild West” ever was.
See:http://www.npr.org/blogs/alltechconsidered/2014/01/17/263375116/analysts-credit-card-hacking-goes-much-further-than-target As quoted from another news article "Attention 70 million Target shoppers: the people who stole your credit and debit card information also have your mailing address, email account and phone number."
Chaos in the marketplace
I recently found a collection of interesting videos recorded at the Chaos Communication Congress held this past December over in Germany. While many of these were extremely geek oriented and some so intense they left my head spinning, I did learn more about some mind blowing challenges in the security and civil liberties space we all should be aware of.
Most folks seem to have followed the newsbytes about the “Edward Snowden Case” but few realize the real information he shared, what it exposed and what this really means.
The first videos in this exploration opened my eyes to some scary realities:https://www.youtube.com/watch?v=vILAlhwUgIU and that lead me to a whole collection of similar videos:http://media.ccc.de/browse/congress/2013/
If you take a few minutes poking through this stuff you will most likely see a picture you may not have considered in the past.
Be aware, take steps to yourself and never assume
Back in 2000, while working on a military base for the Naval Underwarter Warefare Center (NUWC), I was one of the first to play with tunneling through port 80 using Flash Communication Server. Imagine a spy being able to broadcast secrets anywhere over the internet directly from within a military base or any highly secure facility. I exposed a major whole in their firewall security that their IT experts had no clue about. Why? Because at the time it was new emerging technology and they were looking at security from the perspective of what they learned in school not what was emerging on the street. We are in a similar boat today where even though we may have some of the smartest folks and high-tech tools helping us to protect our cyber assets there are no guarantees. There are plenty of folks with techniques, motive and knowhow out there waiting to blindside us and steal our money or most valuable secrets. Remember for all of the groovy new tools that we now have for doing good and making things convenient online there are equally as many advancements in tools that could be used against us. Being aware of the potential vulnerability you have by interacting with these new technologies is the first step and it may require a little more effort than in the past given the proliferation of technology all around us.
The end of “Social Security” has a double meaning on the web
Having worked on military bases and secure facilities for 5 years, where security is ingrained in our heads to be a disciplined process we all had to follow, I was eager to jump back into the private sector where I thought things could be a little more lax. I could not have been further from the truth. It is just as important for us in our personal lives and business practices to keep a strong focus on security. We lock the doors to our cars and houses but often we do not consider potential access to much more valuable stuff kept on our electronic devices.
I went on Youtube yesterday and found 15 videos on how to hack any facebook account and login as any user. By now most people know that when you put information up on Facebook “they” then own it and “they” have very loose “Non” privacy rules. However, these networks while fun and exciting as they may be, open us to leaving our guards down. It is way too easy for folks with motives to put together complete pictures of your life from small pieces of information and use it in ways that they could take advantage of.
Having many friends in the security community, over the years, I have been exposed to some intense tools hackers use to get “their way” online. Though, I was curious to see what would be out there for the average person other than typical antivirus software. I started searching for tools to protect all of my personal devices and networks etc.
This search ended up scaring me even more since, I found very few tools that an average user can use to fight off the bad guys. Remember, (thanks to Edward Snoden) we know now that there have been backdoors built into the actual chips on most hardware built in the past 5+ years. It was pointed out to me that aniti-virus and anti-spyware software cannot protect you from access of the craftiest hackers and they can operate in stealth. I found more, easy to follow tutorials on things like “man in the middle” attacks where someone hacks your wireless router and can spy on everything you do on your desk top. I also found services that allow you to spy on anyone with a cell phone.http://www.flexispy.com/ andhttp://www.mobile-spy.com/. If you really start thinking about it and look deeper there is a lot to be concerned with for your business, your family and personal privacy.
Keep your CMS Up to date!
Businesses are rushing to the internet since it has the potential to make them more competitive in a global marketplace and they can now reach broader audiences. There are three dominate open source Content Management systems in the market place, Joomla, Drupal and Wordpress. Each of these CMS’s has best use cases and strengths for a variety of online solutions. Our experience has taught us that the number one way folks leave themselves vulnerable online is by not keeping their web applications up to date. Remember, technologies are advancing at a rapid pace. How many of you keep the same cell phone or laptop for more than 2 years? Software development is moving at an even faster pace than hardware and this means not only are there more great features that you can take advantage of by upgrading your CMS but the longer you wait to do so the more time hackers have to try to break the older technologies.
One thing that is very fascinating to me is that in the “hacker community” or on the “dark web”, once one person figures out some type of vulnerability; they spread it across a vast network of web hackers that have the potential to do a lot of damage long before there is even a fix available.
One of the reasons we chose to focus our support for Joomla is because there is such a vast development community they can respond to security patches quickly and Joomla puts security as their top priority. In fact, the latest version of Joomla even offers double authentication just like many back sites will send you a security code that is only good for a short period so it is nearly impossible to hack your login. Equally important as keeping your CMS up to date is to understand the infrastructure and security policies of your hosting company. If you are the owner of any site and you get hacked and this leads to any one’s personal information to be compromised, not only can they shut you down immediately but they will hold you liable for all damages. This about that for a moment and if 70 million folks can get hacked on Targets network what would happen if they got into the cloud where your site was hosted and that was the origin of a massif hack? Not a pretty picture.
Oh My G… What can I do?
Ok enough with the scary stuff and on to some practical options for protecting yourself. As you begin thinking more security conscious you need to identify what information, communications and technical assets you want to protect and to keep private. Once you have a clear picture of your security landscape, you may find these tips and tools helpful.
1. Be AWARE and stay in the loop. Subscribe to RSS feeds, newsletters or information channels that can keep you informed on what threats are out there.
2. Seek advice from experts. If you run a business online or off audit your systems on a regular basis. Build a support team that can be proactive and responsive when it comes to security. Network security is often different than online web security and make sure you have all of the right expertise on your team.
3. Develop a security emergency protocol for how to respond to various situations both personal and for your business networks or web sites. Keep call lists and information available that can help you respond quickly. If a pipe breaks in your house the longer it goes with the water running the more damage that can be done.
4. Surf on a TOR browser to protect your privacy. There is an interesting open source project called the TOR networkhttps://www.torproject.org/. This web site has a collection of privacy tools and suggestions for setting up things like encrypted emails.
5. Set up encrypted email and encourage others to do so. Here is one tool for thishttp://www.gpg4win.org/features.html and here is a tutorial:http://lifehacker.com/how-to-encrypt-your-email-and-keep-your-conversations-p-1133495744
6. Get security software for your cell phone such ashttps://silentcircle.com/ services or other apps
7. Install encryption on your VoIP phones. Use a service or look around for options. Here are a couple sample links: http://zfoneproject.com/ orhttp://lifehacker.com/255283/how-to-encrypt-your-voip
8. Use strong passwords and keep your private passwords protected in a tool like Keepasshttp://keepass.info/ There are also several other online services to research.
9. If you have a web site for your business make sure you keep it up to date, use secure passwords and we recommend using a web application security solutions likehttp://www.securelive.com. I would also recommend reading Tom Canavan’s book CMS Security Handbook:http://www.amazon.com/CMS-Security-Handbook-Comprehensive-WordPress/dp/0470916214
10. Get involved with organizations, events and resources groups that foster safety and security online such as http://www.saferinternet.org.uk/ Notice: Feb, 11th 2014 is Safer Internet Day. There are plenty more… go find them and speak up!
There are a ton of other steps you can and should take as well as many more tools or books and blogs to investigate. The most important thing you can do though is to always think consciously about security. Start developing new habits and discipline yourself to be more aware of how you can protective of your privacy and technology assets.
Written by Chris Nielsen
Leadership in an open source community; what does it mean and how can you check and balance within a fluid ever changing passionate volunteer environment?
Recently at the Joomla World Conference I had the privilege to listen to a presentation from Matt Mullenweg, a co-founder and leader in the WordPress movement, on their journey in building their open source community. Their success and story is quite similar and inspiring. Interacting with so many folks over the three days of the conference (http://conference.joomla.org) and seeing the similarities within these two diverse communities made me ask many questions around what is and should encompass leadership within volunteer driven communities.
The Four Freedoms
Several of the points made in Matt's presentation were around "The Four Freedoms" and it is important for new comers and veterans to remind ourselves that we need to keep them as the backdrop and guidance on our journey interacting within the communities that we chose to associate ourselves with or become involved in.
A program is free software if the program's users have the four essential freedoms:
· The freedom to run the program, for any purpose (freedom 0).
· The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.
· The freedom to redistribute copies so you can help your neighbor (freedom 2).
· The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.
The Art of Community
For guidance I am enjoying a great book right now called "The Art of community". There is even a conference held every year for leaders in like-minded communities to share ideas and gather insights.
So far I have noticed one of the things that comes to the forefront in every community as it evolves, especially volunteer driven communities, is the power struggles and personality conflicts. This can have a profound impact on moral and pace or process in which things can get accomplished. It can also divide your community into rival factions as was in part the case when Joomla broke off of the Mambo project. I think there are three key factors that need to be in place to maneuver around this gracefully.
1. Be able to stay focused on the mission and when things get out of hand bring everyone back on target and with enthusiasm (sometimes easier said than done). This means everyone at every level needs to dedicate themselves to bringing the focus back to a clear mission and purpose.
2. Leadership has to be aggressive in a way parallel to a pastor with a parish. Where they continue to nurture the spiritual health of the congregation. Whether it is an individual or teams or teams of teams every level of the leadership has to always be thinking of mending the conflicts and encouraging more participation around the central principles and mission. They need to go out of their way to be selfless and to thank the contributors regardless of how small the contribution.
3. I think a key element for maintaining "spark" in any community is to first attract the right talent in the right areas and then inspire them to participate. From there if the community is to grow you need to keep them inspired and challenged with the potential of even greater possibilities. Directing talent and enthusiasm into the areas of the project where individuals can get the greatest satisfaction and experience can bolster participation and a stronger healthier organization over a longer period of time.
Be Your Best and Always Try to do Better
At the end of the day when you take part in a community there is give and take and you have to be willing to always "be" or do your best, strive to get better, learn from your mistakes and to show the greatest level of respect and compassion for others.
It is ok to disagree because there is often sometimes an over democratic process. One has to try to not let the inner struggles of problem solving in this type of environment overwhelm you with frustration or even at times anger. This can often be the case when you have passionate opinionated people with different skills and approaches or backgrounds collaborating.
In an ever personal and high passion volunteer environment we are all bound to step on someone's toes or bum someone out at some point. There is an old saying. "The only way to have a friend is to be one." Sometimes we need to be uplifted by others and sometimes we need to give pep talks to encourage those around us when they become discouraged. That is how we can achieve great things as a community, by being there for each other. In a community we are all fiends trying to achieve common goals, be it for personal or business reasons. Let us never lose our excitement for these goals. I think this care and compassion for each other and passion for a common purpose is at the core of how any community thrives. On top of that we should have a good time doing so. We should never take the fun out of sharing in these experiences while making the world a better place.
I am passionate about Joomla and the open source movement in general. So to my original question, it would be my hope that leadership responsibility comes from all of us and from this place it should trickle from the "core across" as well as the bottom up or top down. "Know your place, know your stuff and be a mentor to those around you."