Lauri Ojansivu edited this page May 20, 2018 · 140 revisions

Offline is the new normal. Open Source and Free Software and Open-Source Hardware is eating the world in the war on general-purpose computing (HN). Encrypted everywhere. Secure by design. Defence in depth. Legal. Allowed to do business. - xet7 2017-05, implementing GDPR

Case: Implementing EU General Data Protection Regulation with Wekan, Sandstorm and Qubes OS.

Disclaimer: All these opinions are my own, and I'm implementing this for myself. This has nothing to do with my previous, current or future employers. Everything is subject to change, as this is a process. I'm not a lawyer. I have not read the full regulation yet, I'm just starting from the very first basic steps. GDPR has different requirements for different industries etc so this may not apply to you. I don't even know what all parts apply to me yet.

I xet7 was this week at Drupalcamp Nordics 2017 and got more details about this regulation, so I started implementing this yesterday in the way I understand it currently, using technologies I'm most familiar with: Wekan, Sandstorm and Qubes OS. All hardware and software is subject to change if better alternatives are found.

This wiki is editable to all users that have GitHub account to add more details or questions what I have not considered yet.

Deadlines

Date Requirements Sanctions if not ready
2017-05-13 Started documenting project. This wiki page history is also used to show versions of process. Unable to do business legally if not documented everything, including process of preparing to regulation
2017-07-31 Need to find missing keys Pay for expensive changing of locks
2017- Find from home all harddrives, USB sticks, etc Not known yet
2017- Downloaded all data from Internet Not known yet
2017- Sorted and moved all data on offline computer to different Qubes OS AppVMs named by person Not known yet
2017- Found all required alternatives to propietary software from Qubes OS and Sandstorm Not known yet
2017- Converted all propietary file formats to free software file formats, like JSON etc. Not known yet
2017- Implemented exporting of all data to file download, and deleting of persons data in web interface Not known yet
2018-04-25 All data stored securely following GDPR Unable to do business legally

Security requirements

There is very high sanctions for data breaches. If I have not considered some security aspect, please add it to this wiki page.

I need to know exactly where all my data physically is. It's not OK to spread it all over Internet in cloud services Google/AWS/Amazon/Dropbox etc. I need the abitily to absolutely have the proof and knowledge that when I delete one person's data, it's gone, totally, completely, from everywhere.

Hardware: x64

Current

a) Current version 3.x of Qubes OS, if hardware supports it. Laptop/Desktop hardware should be silent, otherwise it disturbs work. Qubes-certified laptops are nice, it has hardware switches to turn off wireless. Alternatively desktop PC that has not any wireless WLAN, Bluetooth etc device integrated.

b) If hardware does not support Qubes OS, I will install some of these:

Hardening

Intel AMT Checker for Linux and it's HN discussion.

For me it shows Intel AMT is present, AMT is unprovisioned, so I need to:

Future

Rowhammer protection, see LWN article, SN576, SN583. HN discussion that has comment with links to paper and repo of software protections as linux kernel module (I have not tested it yet) and Qubes Users discussion. Without it, just browsing Internet with Javascript enabled makes it possible to exploit using Javascript on webpage through all layers of virtualization protections and install malware to firmware like UEFI/Graphics card card/harddrive/SD card etc, so it is not possible get clean computer by just securely erasing harddrive. Alternatively malware can then brick computer, making it unable to boot, as has already happened to IoT devices connected to Internet. Currently Google Cloud kills immediately VMs that try to use Rowhammer serverside code. This is needed for all devices in use.

Qubes 4.x certified hardware when it becomes available.

Hardware: ARM

Raspberry Pi or similar ARM device without built-in wireless, so it can be used offline. Fanless preferred to keep it completely silent. I don't know is there any writeable firmware in RasPi at all, is SD card only writeable storage. AFAIK RasPi hardware does not have any hardware virtualization or Rowhammer protection features.

Software

I need to keep multiple encrypted offline backups. Otherwise some ransomware will just encrypt all my files and demand that I give money, bitcoins, etc to get my files back. Malware exists for most Operating systems, including Linux.

Media type:

a) Write-only, like DVD-R

b) Is there storage media that has physical hardware switch that makes media read-only ?

I need to have source code for every software I use, and tested working way to compile it from source.

I need to test Qubes compromise recovery.

Porting software to Sandstorm. Not all ports are up-to-date yet, but they are anyway protected by Sandstorm high-end security features, security audit with fixes already implemented and also authentication and clustering.

Web developer security checklist and it's HN discussion

Software Propietary Desktop Propietary Web FLOSS Desktop FLOSS Web
Word processing MS Word Google Docs LibreOffice Writer Sandstorm / Etherpad
Spreadsheet MS Excel Google Sheets LibreOffice Calc Sandstorm / EtherCalc
Presentations MS PowerPoint Google Slides LibreOffice Impress Sandstorm / Hacker Slides
RAD Database MS Access - LibreOffice Base nuBuilderPro
Basic Programming MS Visual Basic - Gambas see FLOSS353 Gambas
Pascal Programming Delphi - Lazarus, Lazarus for Amiga, AROS, MorphOS, Ultibo IoT OS for Raspberry Pi -
Cross-platform programming - - Haxe with HaxeUI Haxe with HaxeUI
Diagramming and Vector graphics editor MS Visio - LibreOffice Draw, Inkscape has also JPG to SVG etc, Dia Sandstorm / draw.io
Password manager LastPass LastPass KeePass Sandstorm / Sandpass
Hardware info CPU-Z - I-Nex -
Kanban - Trello - Sandstorm / Wekan see author's talk - current maintainer is xet7
Chat Skype Slack Pidgin, HexChat Sandstorm / SandChat and Rocket.Chat
Video conferencing Skype Google Hangouts Friend, Riot Riot, Sandstorm / Rocket.Chat
Screen recorder - - Simplescreenrecorder, Green recorder, VokoScreen, Byzanz, VLC, OBS Studio, Screenstudio -
Website or Blog - Google Sites, Blogger - Sandstorm / Ghost, WordPress, Hugo, Hakyll CMS
Robot simulation - - - Roboschool and HN discussion
SIEM - - - AlienVault Ossim
Endpoint Visibility - - - osquery see LWN and doorman
Immediate changed file restore, replication and HA - - - mgmt
Compliance to Cyber Security Standards - - - SIMP see FLOSS426, HubbleStack = Saltstack see videos + osquery
Encrypted port knocking - - - fwknop see FLOSS352
Restore database back in time - - - pgBackRest see FLOSS429
Remote Desktop TeamViewer TeamViewer x2go Guacamole
Docker Security Scan - - - Anchore see FLOSS427
Augmented Reality - - - Web

Wekan

General

Support priorities for new features and bugfixes

  1. Commercial Support and Bounties
  2. Community Support
  3. Debugging

Security

Backup

Features

Email

Logs and Stats

Migrating

Settings

Download

Webservers

REST API Docs

REST API issue

REST API client code

Webhooks

Case Studies

Development

Issues

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.