1 of 16

TOC

Social Media

2 of 16

OSE Web Strategy

Team:

Jonathan Kocurek
Colby Thomson
Marcin Jakubowski

Approach:

Create Web Strategy, with separate team executing strategy

Goals:

Assess Current State

Tools
Security & Backup
Administration

Wiki page on OSE Web Infrastructure

Next Steps:

Assess password tools
Get all passwords to all tools
Put passwords into new Password Tools
Change recovery address for any service where recovery email exists - do not use the email at your own domain
Document existing login/management/version/backup state

3 of 16

Meeting Log

April 6
April 13
April 22
April 27

April 27th Agenda

Review/Modify Agenda
Review Prework
Urgent Tasks
Outcomes
Proposals
Assign roles/tasks
Set next meeting

Server - admin login

Hetzner

Open ID

4 of 16

Meeting 4/27/15

Hetzener - 100G limit
Do not do FTP (doesn’t encode passwd) - log in using SSH or SFTP
Use SSH or SFTP client - SSH

THere is a place where we can point your private key. Public key will b in server
How to Input private key in filezilla
Use Putty - seems easier

Connection -> SSH -> Auth - asks you for private key file

In terminal - do comman line - ssh osemain@opensourceecology.org

How to create and use a private and public key
Once connected to the server, use vim ~osemain/.ssh/authorized_keys - edits the

ssh -i /path/to/private-key osemain@oopensourceecology.org

On my computer I generate the private key - https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
Edit public key file. Assume that
I should have a ppk file (Windows).

On Linux - it’s id_dsa or id_rsa (private); id_dsa.pub or id_rsa.pub (public); chmod go= /path/to/file
standard key path is ~/.ssh/
Should have

backup:

SErvices - settings - cronjob manager -> that’s where scripts are scheduled

5 of 16

Critical Path

IT Development Team

IT Infrastructure Assessment

Proposed IT Infrastructure Changes

Documentation IT Infrastructure

Implement Changes

Testing

6 of 16

Social Media = Tech Community Strategy

Grow quality, not quantity
Equate or Integrate Social Media Tightly with Development Process
Establish relationships with leaders
Invite leaders to development event in 2016
Grow within all open source networks, ex: Linux, Eclipse 80k, Open Source Ag, Open Source Everything, FreeCAD 3k, Kdenlive 500, Ubuntu 1.1M, Zeitgeist 226k, QGis 12k, NAFEX 1k, P2P Foundation 5k, OuiShare 25k, Greenhorns 9k, Public Lab 2k, OpeningDesign 200, APDuino 1k, Farmshow 28k, OS For You 511k, Open Source Aquaponics 1k, ROS 1k, Lulzbot 3k, wikihouse 3k, Low-Tech 8k, Velocar .5k, Wikipedia 5M, Joe Rogan 261k, Open Source Permaculture 3k, Blender 53k, Cohabitat 55k, Appropedia 4k, Habitat for Humanity 385k, Engineers Without Borders 10k, OSBG 2k, Outernet 7k, TED Ed - 750k, Rensselaer Center for Open Source, OpenBuildings 100k, Engineering 1.4M

Eclipse - advisory board member on OSE Platform
Linux Foundation - advisory board on Dev Process
Wikimedia foundation - collaborative project on templates or others
Appropedia - templates sharing
FreeCAD
Kdenlive
Blender
Qgis

7 of 16

April 6th, 2015

IT Assessment
Infrastructure documentation
Proposed changes
Testing
Implementation
Documentation

Assessment Phase (Server admin)

Security Password Management
Server management

Document Infrastructure

Backup & Data management

Where?
How?

Applications

Wiki
Website

8 of 16

Move Gandi.net registration over to Dreamhost
Verify Backup of Data -
Access ssh ? Hetzner does not support ssh.
Assess load capacity of Hetzner vs Dreamhost
Generate password strength reports for all of LastPass passwords

Notes:

colby@colbyt.com, elifarley@opensourceecology.org, helpingyouplan@gmail.com, marcin@opensourceecology.org - receive notices at Hetzner

To Do

9 of 16

Server Assessment

Server IP Addresses - https://konsoleh.your-server.de/
DNS - https://www.hetzner.de/en/
Domain Management - https://panel.dreamhost.com/
FTP to opensourceecology.org - osemain, Maysville2014

URL: dedi978.your-server.de
Filezilla works on Ubuntu

FTP to hancock.dreamhost.com -
Hetzner account - 4 GB according to Wiki

Level 19 Server
dedi978.your-server.de for SSH - username is osemain for wiki; oseforum for forum; oseblog for blog
When logging in via Terminal: restrict permissions of private key (say prikey.pem)

Download private key from Keepass

Pwd is maysville2015
Restrict permissionions of prikey.pem by chmod 400 prikey.pem

.pem is file type - X.509 Certificate under File Properties

How to save key in Lastpass?
Can make multiple private keys - which can be revoked individually

Port 222
Put private key in hidden folder .ssh on my computer

ls -la shows hidden files in /home/marcin
mv prikey.pem ./.ssh

Dreamhost apparently has unlimited storage for free -- so we should use that as a backup destination and look into our options there.

http://wiki.dreamhost.com/FTP

http://wiki.dreamhost.com/Rsync_Backup

They may not support such backup anymore though... http://wiki.dreamhost.com/Personal_Backup

So we might have to look further

On Dreamhost users can be given FTP, SFTP, or shell access on an individual basis

One thing we'll need to do it audit the existing users and permissions. This is a better model though, than having a single password.

I created an account for myself -- Marcin already has one, and Jonathan could create one

I verified this worked and connected vis SFTP under my own username and password

hancock.dreamhost.com is the address

On Mon, Apr 6, 2015 at 7:31 PM, C. C. Thomson <colby@colbyt.com> wrote:

Notes:

To Do:

The cron scripts on Hetzner are active for daily, weekly, monthly

They call a custom backup script written by Elifarley called mkbp

In the mkbp confilg file you can see where the local backup points to and see that remote backup is turned off (commented out) and local backup is only 1kb file, so it appears not to be working.

The backup, backs up the html files, and the mysql, etc

Backups

Hetzner offers backup space for around $5 month here: http://wiki.hetzner.de/index.php/Backup/en which will be fast and doesn't affect traffic.

We can use a script to backup the files to a remote server using something like Rsync.

This will take a very long time the first time and may significantly slow down the website potentially (not sure)... however, subsequently rysnc only backs up the file differences using an intelligent algorithm, so it should be modest on an ongoing basis.

If we have the space on dreamhost, I would recommend backing up to dream host. We can also backup to other locations such as amazon storage, google drive, etc.

Let's contemplate some options for backup between now and next week, and make sure we get a copy of everything before we make any other substantive changes to the infrastructure..

It looks like dreamhost now does backup through :https://www.dreamhost.com/cloud/storage/

Which is about 2.5c per GB per month. So we can dig into those options a bit.

If we end up moving the whole site over to dreamhost, then we would use another offsite backup option.

Our ping time to hetzner is 40ms, and about 100ms from dream host. It's not clear if dreamhost could handle running the wiki on our current account size or not, from a performance perspective. We would have to do load testing, or user testing to be sure. For now, let's just make sure we are successfully backing up both sites...

10 of 16

Applications Assessment

Wiki

Admin logon

Where will this be stored?
Who will have access?

Database Backup

Where are the backups hosted

hanjin.dreamhost.com?
Password (mose2011) does not work

How often?
Who will monitor the process?

Proposal process

How are changes made?
Who is able to make changes?

Website

Admin logon
Backup

Where is website backup?
How often?
Who will monitor the process?

Forums

Vanilla forums

Admin logon
Database backups
Proposal process

11 of 16

Assessment

1) Crowd Supply is an good place to consider doing kickstarter, and ongoing release of OSE equipment until we are big enough... if you haven't seen it already.

https://www.crowdsupply.com/purism/librem-laptop

2) Lists of open source devices. We discussed curating and synchronizing a wiki. You can see the current state of wikipedia on this issue below. Probably we should add individual contributions to this list when they reach beta.

http://en.wikipedia.org/wiki/List_of_open-source_hardware_projects

3) Open Source computing / collaborator onboarding

If we wanted, we could start with a linux base image, and perhaps one that is compatible with an open source computer platform like beaglebone that had on it all the OSE collaboration and developer tools, or at least a tutorial for getting there.

http://en.wikipedia.org/wiki/Open-source_computing_hardware

On a related note, I am somewhat enamored with these developments in this realm

http://freedomboxfoundation.org/learn/

https://www.crowdsupply.com/inverse-path/usb-armory

12 of 16

Assessment of Password Control Software

4) Password tools

We were currently using keypass(x) - until 3/31/15. It is a tool that allows you to keep an encrypted database of passwords. It is open source and non-commercial and available on many platforms. It's shortcomings are that it is likely to become out of date due to it not having a password sharing model or browser / form fill connectivity.

The tool that I have recently used in business is https://lastpass.com/ and that is currently my recommendation. It operates cross platform on the freemium business model and has good browser integration and password sharing.

I also looked at 1password, which I think I prefer in many regards, but am ruling out due to our need to be inclusive of contributors in various economic zones. https://agilebits.com/onepassword A comparison is here: http://www.podfeet.com/blog/2014/10/lastpass-vs-1password-which-one-is-right-for-you/

Overall comparisons: Here is a write-up which summarizes differences and concludes lastpass as #1: http://www.asecurelife.com/dashlane-vs-lastpass-vs-1password-vs-roboform-vs-keepass/

Here is a contrasting comparison comparing Lastpass (prosposed solution) to our current solution (keypass) that favors keypass. It also address at topology in which keypass could be shared via dropbox: http://gizmodo.com/lastpass-vs-keepass-whats-the-best-online-password-m-1452918307

Thus my overall recommendation is to briefly discuss the merits of lastpass vs keepass in the paradigm of sharing the database over cloud storage.

Suggestion: OSE Account with official passwords on Lastpass, shared with users as needed. To share: Search for name of password.

Can share a password without someone without them seeing it - so you don’t have to change it if you don’t trust the person, or it may be used
For others to be allowed access, they need to install Lastpass

The Chrome/Explorer/Firefox extension allows autofill

13 of 16

WIKI

WEBSITE

SERVER

FORUMS

DREAM HOST

Backups

DISCOURSE

TEST SITE

WORDPRESS

WIKI TEST

SITE

VANILLA

SEMANTIC WIKI E

CIVIC-CRM

Opensourcewarehouse.org

14 of 16

Governance & Protocols

Server Admin

Admins
Secure password management

Last Pass (SPOF)

Hosting
Backup hosting-DreamHost
Mirror site?
Secure email- https://protonmail.ch/
Applications

Principles & Values

Secure
Usable
Efficient
Redundancy

15 of 16

Forward...

IT/Web Team - assess current state
Keepass - new passwords do not scale; because updating KeePass means you send the new file to everyone - people end up not changing passwords

To-Do - assess top 3 Password Management Questions
Think about your threat model

Server Admin Protocol

Document and Develop training

Forum:

BC of hassle - people don’t update; some wacko will scan internet for old versions of Forum

16 of 16

Keepass Update Requirements

Recovery email address -
Vanilla Forums Admin - password does not work