O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Open Source Lisbon 2018 - David Nelsen Presentation

51 visualizações

Publicada em

"Build your private cloud with Open Source solutions and own your privacy" - David Nelsen

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Open Source Lisbon 2018 - David Nelsen Presentation

  1. 1. Open Privacy Stack
  2. 2. Who Values Data Privacy? ● Privacy is a human right ● Data privacy invasion will cause harm, imprisonment, or death to myself or loved ones ● To protect my reputation ● To protect my profession ● To protect my clients
  3. 3. Open Privacy Stack ● Project not a company ● DarkIron manages the project ● DarkIron is not a company (yet) ● DarkIron will not be US Based ● Community Version ● DarkIron Professional Services
  4. 4. OPS Core Requirements ● True open source ● Active community ● Active development ● Cross platform ● No shared secrets with third party vendor ● Owned and controlled by owner/enterprise ● On premise or co-location, owner full control and ownership ● Encryption by default server side/client side/transit
  5. 5. Targeted Clients ● Small to Med enterprises ● Virtual Teams ● Partnerships ● Legal/accountants/banking ● Consultancies ● Journalists ● Startups requiring data privacy ● Political Activists ● Family Business ● Non profits ● Wealthy Individuals ● Investors
  6. 6. The Three Privacy Domains Technology Awareness Education Legal Action Political Right Here
  7. 7. Security
  8. 8. Enterprise Class Firewall ● PfSense –Location: Texas –License Apache 2.0 100% open source including device drivers –FreeBSD Light and fast –Intuitive GUI –Open VPN –Radius Server –Hardware friendly
  9. 9. MFA Multi Factor Authentication ● LinOTP –Location: Germany –License: AGPL –Python –Simple QR token authentication with app –Used for MFA to RADIUS via OpenVPN client –NO SHARED SECRET WITH 3RD PARTY TOKEN APP!
  10. 10. Password Management ● BitWarden –Location: US –AGPLv3 License –Written in C#/.NET –Docker image running in ProxMox –OK password generator –Nice build –Custom fields –Looks promising –Bug bounty on Hacker1
  11. 11. Password Generator
  12. 12. Password Test
  13. 13. Privacy
  14. 14. E2P Anonymous Overlay Network ● True decentralization unlike Tor ● Monero migrating to the network ● Point to Point no internet exit nodes like Tor ● In OPS used for Anonymous federation communication (email and chat)
  15. 15. B2B Anonymous Overlay Network
  16. 16. Secure Drop ● Whistle blowers drop box ● Used by most news agencies ● Air gap + Tor ● Tails recommended
  17. 17. Communication
  18. 18. TIME CHECK 12:35
  19. 19. Email Server MTA ● Postfix –TLS transport by default –Server side encryption (LUKS) –Clean and snappy webmail –Works great with Thunderbird/Enigmail –Full sync with calendar, contacts, tasks –Flexible configurations –Free Lets Encrypt cert
  20. 20. MTA Components Debian Stretch Operating System Postfix Mail Transfer Agent (MTA) Dovecot POP3, IMAP Apache, Nginx Web server OpenLDAP LDAP server, used for storing mail accounts (optional) MySQL, MariaDB, PostgreSQL SQL server store application data/email accounts Amavisd-new Interface between Postfix and SpamAssassin, ClamAV. SpamAssassin Content-based spam scanner ClamAV Virus scanner Roundcube Webmail (PHP) SOGo Groupware Calendar (CalDAV), contact (CardDAV), tasks and ActiveSync Fail2ban Scans log files and bans IPs that show the malicious signs Awstats Apache and Postfix log analyzer
  21. 21. Simplifying the Build ● iRedMail –Location:Slovenia –License: GPL v3 (Package) –All components compiled –Simple installation –Active community –Great support –https://www.iredmail.org/ iRedMail
  22. 22. Email Not Secure by Default Sender MTA Receiver MTA TLS Handshake TLS Supported Send message TLS
  23. 23. Fail Open MTA Sender MTA Receiver TLS Handshake TLS Not Supported Send Message Cleartext
  24. 24. MitM Downgrade Attack MTA Sender MTA Receiver TLS Supported Send Message Clear Text TLS Handshake TLS Not Supported Man in the Middle
  25. 25. Downgrades Never Happen ? Percentage of downgraded inbound Gmail messages April 20-27 2015 https://conferences.sigcomm.org/imc/2015/papers/p27.pdf
  26. 26. TLS By Default MTA Sender MTA Receiver TLS Handshake TLS Mandatory Send Message Cleartext ? REJECT!
  27. 27. Chat ● Matrix Chat –Location: UK –License: Apache 2.0 License –Bridges for many walled garden chat apps including XMPP –Video/Voice/WebRTC –Jitsi integration – Implemented in the French government to replace US based cloud chat apps. –Riot chat app consistent across all platforms –Decentralized federated model. –E2E Based off the signal protocol (1:1 and group)
  28. 28. Consistent Cross Platform
  29. 29. Bridging
  30. 30. Growing User Base
  31. 31. Desktop VOIP ● FreeSWITCH –Location: California USA –License: Mozilla Public License (MPL 1.1) –Collective vs Corporate model (Asterisk) –SIP federation between two autonomous sites bypassing public telephone system –Interface to public telephone network –PBX
  32. 32. File Sync and Collaboration
  33. 33. File Sync and Collaboration ● Nextcloud –Location: Germany –License: AGPLv3 –Ubuntu 18.04 Recommended –Supports server and e2e encryption –Integration with MTA –Many community plugins –Collabora Integration (google docs-ish editing) –Light enough to run on a Raspberry Pi for single users –Supports federation
  34. 34. Collabora Real Time Editing
  35. 35. Video Conferencing ● Jitsi –Location: Australia/France –Apache License 2.0 –Born in France adopted by Atlassian –Integrates with MATRIX and XMPP –Full featured –It just works!!!
  36. 36. Jitsi Matrix Integration
  37. 37. pfSense Open VPN LinOTP Free Radius IredMail NextCloud Matrix Home Server Jitsi Squid Reverse Proxy Bitwarden Secure Drop I2P Open Privacy Stack