Loomio
February 22nd, 2013 11:19

Security response team

Jonne Haß
Jonne Haß Public Seen by 105

I think we need to form a security response team to be contacted for responsible disclosure. We could setup a shared email account and share a PGP keypair which we each sign with our own keys.

Jonne Haß

Jonne Haß February 22nd, 2013 11:20

Count me in, who's with me?

Flaburgan

Flaburgan February 22nd, 2013 13:06

Hm, I don't think I have the competence to be in, so, without me ;)

Florian Staudacher

Florian Staudacher February 22nd, 2013 14:23

+1

goob

goob February 22nd, 2013 16:06

It sounds like a very good idea, but like Fla I don't think I have the competence, I'm afraid.

(I have a mental picture of you all in riot gear and assault rifles, going in like a SWAT team...)

Jason Robinson

Jason Robinson February 22nd, 2013 20:21

+1 for this, but I think I'll stay out, way too many things going on :P

(offtopic maybe but don't really understand the PGP part? Isn't the point to receive alerts and act on them? :P)

Jonne Haß

Jonne Haß February 22nd, 2013 20:52

PGP for the paranoid so that they can send us encrypted mails and it doesn't matter if the mailbox gets hijacked or the mail gets intercepted or whatever. Just common practice and can't do harm ;) So any suggestions where to get a mailbox?

Jason Robinson

Jason Robinson February 22nd, 2013 21:26

The paranoid will probably not even send emails to gmail :P

Jonne Haß

Jonne Haß February 22nd, 2013 21:38

Well, with PGP they could, Gmail won't be able to read them ;)

Tom Scott

Tom Scott February 24th, 2013 07:58

+1 definitely.

Flaburgan

Flaburgan February 25th, 2013 09:02

@jonneha what about create an email on @diasporaproject.org when Sean will have access to it ? We certainly have an email server somewhere (with OVH, I have an email address with every domain name I have, maybe it's the same here)

Jonne Haß

Jonne Haß February 25th, 2013 10:54

We still have no sign of life from the domain owner. That's basically why I'm asking.

Tom Scott

Tom Scott February 25th, 2013 19:37

Who owns diasporaproject.org anyway?

Jonne Haß

Jonne Haß February 25th, 2013 20:50

whois diasporaproject.org gonna tell you. Somewhat.

goob

goob February 26th, 2013 11:17

Max must know this person, or at least how to get in contact with them, otherwise they wouldn't have pointed diasporafoundation.org to his site in the first place - surely?

goob

goob February 26th, 2013 11:17

Sorry, Maxwell, not Max - didn't mean to shorten his name.

F

fabianrbz February 27th, 2013 00:33

Count me in!

Ivan Gabriel Morén

Ivan Gabriel Morén March 30th, 2013 23:53

A good, simple, secure and free mail, I think this one could do it:

https://help.riseup.net/

They have both email and mailing lists. There are two ways to get an account, either by writing them a request and telling them who we are and why we want it, or by using invitation codes, and as both I and Paul do already have accounts for personal purposes we could generate invitation codes.

What do you say?

Jonne Haß

Jonne Haß August 2nd, 2013 21:51

We now got full control over diasporafoundation.org, including a mail server listening to it, run by @dennisschubert. It's time to make security@diasporafoundation.org reality. I'm going to generate and publish a PGP key for it, anybody who wants to be in the team can contact me and I'll share the key with you, unless somebody knows a better method to get PGP working on that address.

goob

goob August 3rd, 2013 09:43

I've not heard about security@diasporafoundation.org before, Jonne. What is it intended to be? I'd like to know to see if it's something I could be a part of.

Jonne Haß

Jonne Haß August 3rd, 2013 17:47

It's a method/address to responsibly, that is not in public, disclose serious security issues in Diaspora. Listening to it is the security response team (only me currently, heh...) to judge and handle the disclosed issues.

goob

goob August 3rd, 2013 18:33

Thanks. I saw from your discussion on Github that it's an email address for this purpose. I wasn't sure whether it was something else. A very good idea, but not something I can usefully be part of, I'm afraid.