Our first transparency report

probably not a canary

We just posted the Tendenci government transparency report for January 1 to June 30, 2016 to our site. Nothing to report, but a new process put in place keeping with the values of the Tendenci community.

Why? Because all companies that store information, like electric companies, phone companies, email providers, search engines, etc, must respond to requests from the government. That includes us. The solution is transparency reporting because we think you have a right to know.

Tendenci Transparency ReportingWhy now? The (previous) absence of transparency reporting including a canary clause was brought up at a recent convention. We listened to you. We agree with you. So we fixed it. It’s pretty boring and let’s hope it stays that way.

Thank you to the client who asked about it! Tendenci is a community and we appreciate dialog that helps the community. Y’all rock!

You can find Tendenci’s transparency reports at https://www.tendenci.com/transparencyreporting/

What’s next? We would love to hear from you about your best practices for data retention. If you are willing to share, please post those in the Tendenci forums.

malicious stuff – it’s real

sguil_rocksOn our little company blog on our tiny corner of the Internet (relatively speaking I guess) this is the current reality. Mind you this is just our blog and not attacks on our site or on client sites.

Tendenci blog stats – blog.tendenci.com
132,055 Blocked malicious login attempts
282,058 Spam comments blocked by Akismet

#joy

Note that Tendenci is not a blog platform – it’s on Python and Django and open source https://github.com/tendenci – but our blog is on wordpress as my personal blog is. WordPress is doing an amazing job fighting hard against the constant php attacks.

The numbers above speak for themselves. I still think WordPress is the best blogging platform out there. But just WOW. I just don’t know that people understand what they are up against.

Yes I’ll share some of the data on attacks on our cloud infrastructure which aren’t that far off as a percentage. This is just me pointing out that the Internet isn’t a nice place. If you have a WordPress blog I HIGHLY recommend you install JetPack from WordPress (free) as well as Securi. It’s worth it.

Docker Server outage Sunday May 8th 11:10pm – May 10th 2:15pm

An automatic security update installed on one (1) of the Tendenci Docker servers in our AWS US-East data center on Sunday May 8th at approximately 11:10pm CST.

The update included changes to the file system to increase security. The automatic conversion took significantly longer than prior updates resulting in some sites being offline during this time period.

Reference the release notes on Dockers 1.11.1 here for more technical detail: https://github.com/docker/docker/releases/tag/v1.11.1

Security can not and will not be compromised. Our focus instead is on redundancy (multiple copies of sites/automatic fail over).

Our response will be explained further when our after-action incident review is complete.

rolling outages today and tomorrow April 16 for additional security precautions

Dear clients – we will be doing some unscheduled maintenance to build out a more redundant infrastructure. Specifically this means the network team is making copies of entire servers to so they can be brought back up in the case of a security issue quickly and easily.

The decision to create the extra server images in addition to the normal site backups was made based on security information we received from official and unofficial sources. We recognize any outage is an inconvenience and will work to keep security as our top priority.

The ETA for outages is approximately 30 minutes per server. Most likely less as our cloud is fairly distributed.

I am typing this at 5:40 PM on Saturday April 16 CST 2016. I will keep updating this same blog post as we get better data on timelines.

Continued Configuration Changes on Windows Legacy Servers

Update: We will be doing a planned reboot of the Windows servers late this afternoon Wednesday January 21, 2014 to begin the process of restoring two of the remaining clients that are still offline.

Scope: This update applies to Tendenci 4 clients on Windows only. It specifically does NOT apply to Tendenci 5 or Tendenci 6 clients on Linux.

To give you an idea of the scope and velocity of hack attacks that continue, these are attempted crimes mind you, I’ve attached a 15 second video taken several days ago of actual attacks on one of our servers INSIDE the allowed ports.

15 seconds of network attacks

A further update on the 404 errors that the legacy Tendenci 4 clients have been experiencing intermittently. We have been measuring everything possible and tweaking the configuration settings as we see patterns in the logs. Each day generates over 1GB in security alerts across the data centers. All of these are either known attacks, or zero day attempts.

This is what we are fighting and it is relentless. The fact remains that we have protected the legacy sites by moving them from Windows 2003R2 IIS 6 to Windows 2012R2 IIS 8. But to make ASP classic run in IIS 8 we are running the servers in “compatibility mode” which is not an ideal configuration for any technology. And “secure” does not mean “functional” if your sites locked down to the point of not meeting functional requirements.

We have taken a step back and concluded that a technology platform started in 2001 is not up for the cyberwars of 2015. We will have a further update posted later today on possible paths forward for Tendenci 4 clients.

~ Ed

HOWTO: Keep your cell phone safe and secure

Cell phone user thanks to Gwenflickr

Time to put the smart in smart phone!

With news updates of phone hacking scandals splashing headlines the world over, we’re hearing lots of cell phone security buzz – and for good reason too!

While a major news outlet may not be interested in your cell phone activities (or we sure hope not!), this is still a great time to make sure you are practicing some solid cell phone security practices.

Keep that cell phone close by!

You are far more likely to misplace / lose a cell phone than to get hacked, so be sure your little handheld buddy doesn’t stray too far.

  • Beware of keeping your phone on your table at busy restaurants, leaving your phone in the car (even just for a ‘second’), etc.
  • Find a ‘funky’ cover or skin to make it super easy to identify your iPhone – avoid an accidental mix up easily (I’m a big fan of the Infectious skins) when at a networking event or dinner with 7,000 other iPhone / Blackberry / Android users
  • Password protect your phone to keep your logins, contacts, email and notes safe from undesirables – also great for making sure any kiddos in your life don’t make random calls to Japan
    • For safety purposes, use an emergency app like smart-ICE to not only store your ICE info (‘In Case of Emergency’) for paramedics to be aware of medical conditions, insurance details and contact info, but add ICE info to your locked screen (in addition to your quirky-cool smart phone wall paper).
  • Install a phone location / security app on your phone, a few examples:

Beware of public Wifi + ‘Evil Twins’

Yay for public Internet access!   But boo for public Wi-Fi security.   Extra emphasis on that ‘boo’ when using a credit card or login, as not all Wi-Fi connections are as secure and innocent as they seem.   Learn more about the ‘Evil Twin’ phishing scam here.

As cumbersome and slow as it might be, opt for your 3G / 4G network connection over a public Wi-Fi connection to stay secure.   Or pick up your own piece of the Internet and invest in a MiFi card.

What’s up with hardware and software security?

Not all apps and phones are created equal.   As an iPhone user, Apple has a more stringent vetting process of apps that helps weed out *most* malicious programs.   Android’s app community is far more open and has had some security exploits in early 2011.

Use common sense when purchasing apps and accessing certain sites (like your bank account, for instance) on your smart phone.   Beware of ‘look alike’ apps that might be masquerading as a Chase banking utility and think twice about depositing checks using a phone app – and learn the safe ways to bank on your phone here..

Photo thanks to Flickr user GwenFlickr

Get increased Facebook security with HTTPS

Add extra Facebook security

Ah, the Internet.   Home of silly company names and weird acronyms for cool stuff.   Gowalla, anyone?

The latest focus in online verbiage that you should really know about is:   HTTPS (‘hypertext transfer protocol, with SSL security)

Facebook has recently added HTTPS support, which means that you now have the ability to access the Facebook site in a more secure environment.

How to update your Facebook HTTPS settings

  1. Visit your ‘Account Settings’ page:

    Update Facebook account settings

  2. Scroll to Account Security and click ‘Browse Facebook on a secure connection (HTTPS) whenever possible’:
  3. Don’t see this option yet? Hold on for a bit, as they are rolling it out over the next couple of weeks.

How will HTTPS affect my Facebook-ing?

The Facebook programmers have cautioned users that enabling this additional encryption may cause pages to load more slowly and also means that some 3rd party applications may not work until some additional tweaking is done.

What?   Facebook has been insecure this whole time?

Wellllll…   that’s a tricky question to answer.   This increase in encryption with HTTPS makes it that much harder to access your Facebook when you are, say, surfing on a public wifi connection.

But, as we’ve seen with numerous Facebook updates that have exposed information users didn’t intend to share publicly, approaching your Facebook surfing and sharing with caution is ALWAYS highly recommended.

Feeling overwhelmed or want a friendly person to friend on Facebook?   Contact the Schipulites to see how we can help!

Photo thanks to Flickr user Sean McGrath