TLP-WHITE – Energy Associations and Industry Contractors – Russia is targeting you

March 16, 2018: Russia is targeting our critical energy infrastructure. This security bulletin is regarding Russia targeting Energy is a TLP white.

We appreciate the assistance from the agencies allowing us to share this with our clients promptly. (Notes below **** )

Russia is targeting our critical infrastructure. The US InfoSec has partially enabled this by allowing the NSA code to be hacked and the OPM database to be breached. Not to mention facebook, equifax, chase, target, linkedin, etc.

TLP-WHITE: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors

… This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.

NOTE: please note we have no evidence of anyone specifically targeting a client beyond those we have contacted directly by email or phone call. 

All of those incidents, some of which are on-going, pre-date the incidents as described in the bulletin above. Internally we monitor and address individual incidents directly.

If we (Tendenci) detect a direct threat with our security infrastructure at AWS  and redundant logging and monitoring. Know that we will contact your team. If it is more global in scope monitor our social media (this blog, tendenci twitter. Further we recognize the importance of protecting your data. And the importance of your privacy.

I will add that there is little doubt in my mind that the InfoWars don’t also extend to purchasing advertising, perhaps through a third party, on mainstream sites like Netflix, Youtube, CNN, FOX, Telemundo, etc…. they just haven’t reported it yet.

We get it. Just please, tell us that you understand it as well? This is a huge expense for us internally and it has the intended result – less innovation and more defense. More resources get tied up to maintain what the client sees as “the normal state of affairs.” 

These are the facts of our current reality. We do not have the privilege to ignore reality.

Celebrating International Women’s Day

Today is International Women’s Day. It is great to see the support of so many different companies behind International Women’s Day. Tendenci, which has historically had far more women in the role of Programming Manager, and which currently has far more women than men on our team, we obviously agree.

Google has a great video worth watching on International Women’s Day:

We love y’all.

On a personal note (this is Ed typing) it’s hard to believe it’s been over a year since I photographed the Women’s March in San Francisco in late 2016. Y’all just keep rocking. Please!?

Photos from the Womens March in SF
Women’s March SF 2017


Tendenci AMS API Integration

Python Rules

For more on The Open Source AMS integration via API visit our AMS API Helpfile

Tendencithe Open Source AMS is unique in that it is fully open source. However at times people would prefer to use an API to pull specific information. For that Django has several API integrations for your Association Management System such as:

django-tasty-pie is a REST based API to your AMS
The Django Rest Framework is also something the Tendenci community has been discussing switching to it as well.

API’s aren’t mutually exclusive after all, right? You have options.

There are legitimate reasons to use an API. Examples include integration between a legacy mainframe system, ecommerce, or a development team that has chosen a different platform such as .NET or PHP.

Tendenci doesn’t meet all of the functional requirements for everyone by design. Instead we work with great technology like machine learningThe open AMS community isn’t focused on reinventing the wheel. It just doesn’t make economic sense for a non-profit, or even a for profit company, to reinvent or This is particularly true if you are causes-based association or non-profit given the expense.

Does Tendenci AMS work with other providers? Absolutely. Any provider with an API or that supports SSO or RSS or has their own technology like google tag manager.

Non profits don’t have money to waste. Therefore we aligned our product to major industry supported technology.

Our technology stack as of 2018 is:

  1. Tendenci
  2. Django Web Framework
  3. Javascript and jquery
  4. Bootstrap CS
  5. Python Programming Language
  6. Postgres Database with GIS
  7. Docker Containers
  8. Ubuntu

For more on The Open Source AMS integration via API visit our AMS API Helpfile or read up on everything Tendenci Works With. Or if you aren’t into open source, there are definitely alternatives to Tendenci.

If you do pick an alternative, we suggest you consider Security FIRST and go from there.

ctop – measure container cpu utilization like htop

Developers and programmers are frequently (ok, almost always) asked to accomplish the impossible yesterday. So this post is for the Tendenci developers and anyone else who uses docker containers, cgroups, jailed name spaces or similar.

Situation: You have a server that is spiking when it previously did not.

Let’s just assume you already have something like OSSEC and the ElasticSearch Stack  (ELK Stack) installed and are using a WAF/IDS/IPS endpoint. You are on top of your game. You see the errors from writing to the file system in dockers using the overlayfs file system (please no aufs, just don’t.) How to diagnose it:

“htop” is very good at showing you the issue. It (htop) is also frequently replaced by malware so double check yourself with “ctop” which most variants of common malware omit. Regardless, in this case, we can clearly see we have a stuck process. Enter “ctop” (open source like Tendenci at and on github at .

Running ctop you can quickly identify the container that is using the resources and then enter that container for further trouble shooting. “ctop” look like this:

The solution to a container over utilizing its resources is up to you and your developers. ctop is however a great way to zero in on at least which container is the problem.

In our case, a quick stop/start of the container removed the load and allowed us to do more debugging to figure out the cause. Tendenci is a mature and large codebase for association management (AMS Software) so it’s an iterative process to zero in on issues. And it can be done with the right tools.

Happy Container Utilization

This is what one of the Tendenci Cloud docker servers looked like after  debugging and killing the process causing the problem. “Yes” of course there is no replacement for “grep”. But with containers the debugging is a new art even for experienced programmers.

Hopefully this is helpful for all of the open source self-hosted Tendenci – the Open Source AMS self install developers using an AMS with 75+ languages out there.

And if you are a Python/Django developer – fork Tendenci open ams on github!


What a DDoS attack to an Association Looks Like

The following graphs show what a Distributed Denial of Service (DDoS) attack on an association looks like. The names, rates and volume of the association have been blurred for security reasons. We are thankful to AWS for their own defenses in front of ours, which  help us mitigate these issues.

responding to ddos attacks as best we can
active response to mitigate attacks

Note: The  graphic above, is filtered for a 24 hour span for one client. The infrastructure is in place, and highly redundant, so we can monitor and keep our clients safe. For clients in the US or hosted in other countries (we have multiple Tendenci clouds as needed.)

Note 2: Make no mistake – If a bad-actor has the budget – they can and will purchase enough bots to take a site down. This is well documented. Even our resources at AWS are limited in what they can handle. Budget (yes BUDGET) accordingly. 

Tendenci 7.4.0 Release Notes

Release Summary

The team at Tendenci has been working to make improvements to our T7 software.  The batch of updates noted in this release are mostly centered on:  the Tendenci Nav, Reports, and Newsletters.  You can look for these changes on your T7 site.

Notable changes:

  1. New top menu (for both admin and logged in users)
  2. Newsletters format update and clone feature
  3. Reports format update (including invoices, memberships, ..)
  4. Events views – Added sub menu for month view, week view, day view
  5. Separated join approval and renewal approval for membership notices
  6. Wysiwyg editor – Enabled the image title input field in the image dialog. Added class dropdown to the tinymce link dialog box
  7. Updated the directories categories to make it easy manage
  8. Added drag-drop functionality to the testimonials
  9. Added memberships overview report
  10. Added a link on Profile page to view past events.
  11. More minor changes


  1. (Security) Disabled GZipMiddleware to prevent BREACH attacks
  2. (Security) Prevent fraudulent simultaneous reuse of PayPal transactions
  3. Resolved the issue regarding hangs when caching is enabled. Re-enabled the cache for site settings.
  4. Resolved the subprocess venv issue.
  5. Fixed exports for directories, jobs, resumes, pages.
  6. Fixed “Most Viewed Files” report.
  7. More fixes

Tendenci Nav

The Tendenci Nav has been reorganized to help you find what you’re looking for.  We hope you’ll take the time that review your new Tendenci Nav and get familiar with some of these changes.  Here’s a screenshot of what it should look like:

*For all of these updates, some sites will display slightly different fonts and design features based on the site theme. 

Tendenci Nav Screenshot T7
Screenshot of the new Tendenci Nav in T7


Updates in the Reports module includes consolidation of all reports into their own Tendenci Nav item.

Reports Screen shot Tendenci Nav
Reports Screen shot Tendenci Nav


This release also includes an update to the Invoices module, making invoices faster to browse visually in a table-based format.  To view invoices in the new navigation on your site, click: Reports > 5. Financial > Invoicing.

Tendenci Invoices Screenshot
New Tendenci Invoices Screenshot


The Newsletters module works almost exactly the same as before.  We have made a few features a little bit easier to use.  For example, if you’d like to re-assign the newsletter to a different group, you can now do so even after you’ve generated the Newsletter in the first step.  We’ve also made some layout improvements that take advantage of Bootstrap’s framework.

The “clone” feature has also been added to this module.  With clone, you can send a test e-mail, then clone it and send it to your target audience rather than copying and pasting the contents from the first send.

Screen shot of Tendenci clone feature in Newsletters
Screen shot of Tendenci’s new “clone” feature in Newsletters

Have software updates you’d like to share?  Fork us on Github!

Special thanks to @PaulSD for lots of fixes and update!

SSL Encrypting all Tendenci Hosted Sites

NOTE: This is a cross post. The original post is at:

Encrypt All The Things

To our clients. The above graph is a filtered subset of what is a *typical* day of network alerts. As the media has stated, the issue is quite real.

We greatly appreciate you and it is important to us that you remain safe. To further advance that objective in the current geopolitical environment, all hosted Tendenci sites will be encrypted going forward per our CEO.

Why? Because security. The Internet has changed and we must adapt.

Adapt? Remember when that Steve Jobs guy invented the iPhone and suddenly sites that were awesome the week before… well… they weren’t as awesome the next day? The. Next. Day. Technology is like that.


Continue Reading:


SEO isn’t just about Google – Alternative Search Engines

If you believe in the long tail theory, adding up SERP results from all of the smaller search engine results can be just as important as trying to score well in the almighty google. So where do you focus your energy? I vote both. At least submit your site to a few of the relevant ones and of course check your keyword density for SEO primary keywords.

Rather than repeat the work of others – this site lists several alternative search engines you can start with: 

Yes, many of these search engines are small and hyper-regional, but that matters to the Tendenci community given the open source translation efforts going on at Transifex for Tendenci – the Open Source AMS. We thought it might help you too!





Equifax Breach via Apache Struts Framework

(This is a cross post from our CEOs personal blog. Note that Tendenci sites do NOT use Apache and the vulnerabilities in Equifax’s implementation of Apache Struts do NOT impact your Tendenci site. Still be aware that nothing is is 100% secure so stay vigilant and be prepared friends!)

As reported last Friday, the 2017 Equifax personal credit reporting agency had a data breach of 143 Million people’s identities. It started in May 2017 and is just now (August 2017) being disclosed. It is going to impact all of us. Sources:

  1. Equifax data leak could involve 143 million consumers
  2. PSA: no matter what, Equifax may tell you you’ve been impacted by the hack
  3. Did Lack of Visibility into Apache Struts Lead to the Equifax Breach?

From the second article on the Equifax breach linked above, this portion really galls me:

… not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.

It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.

Earlier it was revealed executives had sold stock in the company before going public with the leak. We also found TrustID’s Terms of Service to be disturbing. The wording is such that anyone signing up for the product is barred from suing the company after.

The following phrase alone, if true, combined with Equifax literally trying to monetize their security errors, is what gives capitalism a bad name:

The wording is such that anyone signing up for the product is barred from suing the company after.

I have to believe the Equifax PR team is working for PharmaBro or Putin trying to make them look good in comparison.

Note: Equifax has changed the indemnification, but only under duress imho. Furthermore 30 days free credit monitoring by the company that released your data and then you will have to pay monthly still seems wrong. But to be fair, here is their update:

Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier.
(Editor: well ya, duh!?)

We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.
(Editor: but did you fire the person who did it in the first place?)

I get it. Nothing is secure. If the NSAs hacking tools get stolen and OPM loses all of the data on security clearance checks on our own people, then truly nothing is safe. I get it.

What I do not understand is a company as large as Equifax not being prepared for something like this. That Equifax did not announce it promptly. That Equifax executives sold stock before announcing it. That Equifax then attempted to indemnify themselves. That Equifax is using the crisis to sell a monitoring service that you have to pay for after 30 days. A service to monitor YOUR data that THEY lost control of!

This boggles the mind of a PR Professional.

The Internet was not built for e-commerce – it was built for knowledge sharing in a “walled garden”. Therefore keeping sites secure is not possible. Any security professional will tell you best practice is to white-list good guys (selective inclusion) as opposed to trying to find every attack and block it. Therefore the difficulty at a high level is primarily in identifying and blocking bad actors.

I hate to say it folks, but we are playing whack-a-mole with your identity and money.  It will always be an uphill battle to maintain security on the Internet and you will never ever be 100% safe.

As reported by Black Duck (awesome people btw), the specifics of the attack on Equifax are currently easily exploitable on similar sites. This is like Hurricane Harvey – it’s not even close to over.