Difference between revisions of "Document Storage/Meeting Notes 2017-11-13"
Jump to navigation
Jump to search
BobJonkman (talk | contribs) (Add resource links) |
m (→Future Venues) |
||
(8 intermediate revisions by one other user not shown) | |||
Line 2: | Line 2: | ||
==== Resources ==== | ==== Resources ==== | ||
− | [ | + | [https://www.techsoupcanada.ca/en/directory/419 File Storage | TechSoup Canada] |
[https://nextcloud.com/ Nextcloud] or [https://owncloud.org/ ownCloud] | [https://nextcloud.com/ Nextcloud] or [https://owncloud.org/ ownCloud] | ||
+ | |||
+ | |||
+ | ==== Future Venues ==== | ||
+ | * Communitech has indicated we can no longer use the Jellybean Room on Mondays | ||
+ | ** but the room is available on Wednesdays | ||
+ | *** but it's only available until 8:00pm | ||
+ | *** do we want to switch meeting days? | ||
+ | ** Marc will check if there's any availability on Mondays | ||
+ | *** but the cost will probably be higher ($15/hr now) | ||
+ | |||
+ | |||
+ | * We were contacted by Reg from [https://www.1kingnorth.ca/ One King North] {{map|url=https://osm.org/go/ZXnboydI--?m=}}, a coworking space | ||
+ | ** Reg indicated that "Also it's complimentary, so you don't have to pay for using our space to hold meetups" | ||
+ | ** Marc followed up with Reg and has yet to hear back from him | ||
+ | *** Apparently, Reg was unclear in his communication, probability of having access to this venue space does not look promising | ||
+ | |||
+ | |||
+ | * Other possible venues: | ||
+ | ** Old school board building (Marc has contacts, will investigate) | ||
+ | ** [https://regionofwaterloo.cioc.ca/record/CND1557 Downtown Community Centre] {{map|url=https://osm.org/go/ZXnwWjXA--?m=}} | ||
+ | *** but they require all KWNPSA attendees to purchase memberships at $15/year | ||
+ | *** Paul Nijjar investigated for KWLUG; it was deemed unsuitable for a non-profit group | ||
+ | *** Bob's notes indicate there are also meeting room fees, insurance costs, and participants under 18 years old are not allowed. | ||
+ | ** [https://www.descendantsbeer.com/ Descendants Beer & Beverage Co.] apparently has meeting facilities. Kirk will investigate. {{map|url=https://osm.org/go/ZXnwdGkY--?m=}} | ||
==== Meeting Notes ==== | ==== Meeting Notes ==== | ||
− | |||
− | |||
− | |||
− | |||
− | ===== | + | ===== Cloud Storage ===== |
− | * | + | * [https://www.office.com/ Microsoft Office 365] |
− | * | + | ** Lots of KWNPSA members use Office 365 |
− | ** | + | ** Default installation moves documents to US servers |
+ | ** Microsoft will move documents to Canadian servers on request | ||
+ | *** but this may take up to seven years | ||
+ | ** Microsoft OneDrive was automatically installed at one organization | ||
+ | ** Business version of Skype can't be turned off, once it's installed! | ||
+ | *** It is difficult to use Business Skype with non-business instances of Skype | ||
+ | *** But there is finally a good GNU/Linux client for Skype, works with multiple video streams | ||
+ | |||
+ | |||
+ | * [https://gsuite.google.com/features/ Google G Suite] (Google Docs) | ||
+ | ** Used by political organizations | ||
+ | *** This seems like a bad idea; want to keep political affiliations and activity away from prying eyes | ||
+ | ** Google Drive storage | ||
+ | *** Some SysAdmins have seen identical filenames in folders | ||
+ | **** Perhaps the User Interface hides extensions or filename suffixes | ||
+ | *** Maybe Google Drive uses links or pointers? | ||
+ | **** People move files, but they still exist in orginal locations | ||
+ | **** Google Mail uses flat storage of all messages, tags on each message are displayed in UI as though it is a folder structure | ||
+ | |||
+ | |||
+ | * Cloud horror stories: | ||
+ | **Company advertising genetic testing services stored data in the cloud | ||
+ | *** then sold people's personal genetic data to a pharmaceutical or insurance company | ||
+ | ** Genealogy company acquired data stored "freely available" from individuals' web sites | ||
+ | *** Now sells this data, and it is not available to the original authors | ||
+ | *** Suggestion: "Poison the well" by creating a "Fake Uncle Ralph" to prove authorship (see [[Wikipedia:Trap street]]) | ||
+ | |||
+ | |||
+ | * Security risks | ||
+ | ** Commercial cloud providers will hand over customer data to authorities | ||
+ | *** National Security Letters -- Cloud providers may be compelled to keep this data access from their customers | ||
+ | ** Ensure you have a contract with a Service Level Agreement (SLA) that specifies where servers are stored (Canada? US?), how data is routed | ||
+ | *** Even if source and destination are both in Canada, traffic may still be routed through US and subject to snooping; Canadian data has no protection when routed through US | ||
+ | ** Technical means: [[Wikipedia:Source Routing|Source Routing]] can specify how a packet is sent through the network (Internet) | ||
+ | |||
+ | |||
+ | |||
+ | ===== Encrypted File Storage ===== | ||
+ | * Use VPNs to keep remote sites within your own network | ||
+ | * Encrypted tunnels, eg. Secure Shell ([[Wikipedia:SSHFS|sshfs]]) | ||
+ | * Encrypted file systems | ||
+ | ** eg. [https://nextcloud.com/ Nextcloud], [https://owncloud.org/ ownCloud] | ||
+ | ** Must ensure that encrypted file system is not mounted on remote, unsecured server | ||
+ | * Encrypted containers | ||
+ | ** eg. TrueCrypt (now obsolete, use [https://www.veracrypt.fr/en/Home.html VeraCrypt] instead) | ||
+ | ** eg. [https://www.ciphershed.org/ CipherShed] | ||
+ | *** TrueCrypt, VeraCrypt, CipherShed are all cross-platform (Windows, MacOS, GNU/Linux) | ||
+ | ** eg. [[Wikipedia:LUKS|LUKS]] | ||
+ | *** See [http://bob.jonkman.ca/blogs/2017/10/09/how-to-create-an-encrypted-drive-in-a-file-container/ How To Create an Encrypted Drive in a File Container] by Bob Jonkman | ||
+ | ** eg. FreeOTFE (obsolete) or [https://github.com/t-d-k/LibreCrypt LibreCrypt] provides OTFE (On-The-Fly-Encryption) for Windows that's LUKS compatible | ||
+ | * For any corporate encryption, Additional Decryption Keys are needed | ||
+ | ** Any user-encrypted files or containers can be decrypted by the organization's ADK; ensures data is not lost when user forgets password or leaves the organization | ||
+ | * Office 365 encryption | ||
+ | ** The culture for Microsoft products is less concerned with encryption (poor adoption of encrypted technologies?) | ||
+ | |||
+ | |||
+ | * Encrypted Backups? | ||
+ | ** For backups in the cloud, or on local storage | ||
+ | ** Encrypted backups can become un-restorable with minor errors | ||
+ | *** Bob recommends making unencrypted backups, then saving them in an encrypted container; even better to keep unencrypted backups physically secure | ||
+ | |||
+ | ===== Sharing Files ===== | ||
+ | * File permissions | ||
+ | ** Staff doesn't know how to use filesystem permissions, makes all files globally read/writeable | ||
+ | * Use a Document Management System to assign authorization to documents | ||
+ | ** Access control with a DMS can be more finely tuned | ||
+ | ** DMS also provides benefits such as metadata and search/indexing | ||
+ | ** but it needs the skills of a librarian to properly catalogue documents | ||
+ | ** and a DMS adds another layer of abstraction; more work for the SysAdmin, more to go wrong | ||
+ | * Physical file systems (file cabinets, folders) were treated better by staff than digital file systems | ||
+ | * Using Roaming Profiles for shared file access | ||
+ | ** SysAdmin can force desktop computers to put "My Documents", "My Pictures" &c. on the server for shared and secure storage | ||
+ | *** Doesn't work for Windows' "My Desktop"; that folder appears to have special privileges, but we don't know how | ||
+ | *** Can "My Desktop" or "My Documents" be made read-only to force staff to use server storage? Doubtful | ||
+ | ** Thin clients don't store data locally | ||
+ | ** Use the Browser Local Storage? (please, no) | ||
+ | ** "Libraries" feature in Windows can combine several folders (from different sources) into one | ||
+ | * Commercial applications for managing roaming profiles: Micro Focus ZENworks (formerly NAL, Novell Application Launcer); Intel LANdesk Manager, Computer Associates | ||
+ | * Staff gets easily confused with shared filesystems | ||
+ | ** Folder tree changes, filename and foldername changes | ||
+ | |||
+ | |||
+ | ===== Storing Binary Files ===== | ||
+ | * Music Files, photos, video, CAD drawings, &c. | ||
+ | * Using Google Drive is not efficient for binary files, better to keep on local (non-cloud) storage | ||
+ | ** Post-production for music can't be done online | ||
+ | * Cloud services need cloud-based client software to manage binary files | ||
+ | ** Google Docs does not have a good music client to manage music file for an orchestra | ||
+ | ** But Google Docs has good photo apps | ||
+ | |||
+ | |||
+ | ===== USB Sticks or Thumbdrives ===== | ||
+ | * How to prevent the use of USB drives? | ||
+ | ** Physically hotglue the USB ports on organizations' computers | ||
+ | ** Pop up a warning to the user when USB device is inserted | ||
+ | ** Lock the computer when a USB device is inserted | ||
+ | * Worried about "Parking Lot USBs" (USB drives found in the parking lot, may contain malicious payload) | ||
+ | ** Physical attacks through high-voltage discharges (see https://usbkill.com/ ) | ||
+ | ** The only protection against physical attacks is physical protection | ||
+ | |||
+ | |||
+ | ==== Future Topics ==== | ||
+ | * [[Document Management]]: There are specialized software tools to manage your documents, provide version control, allow staff to checkout documents for exclusive access, and to provide indexing and search tools. What do you use? | ||
+ | * [[Encryption]] How do encrypted file systems work? Demonstration/Workshop on creating encrypted file containers. | ||
+ | * Microsoft Evening (do they still provide sponsorship? Marc will check with Eli) | ||
+ | |||
+ | |||
[[Category:KWNPSA Meeting Notes]] | [[Category:KWNPSA Meeting Notes]] |
Latest revision as of 06:24, 15 November 2017
Contents
Document Storage
- Date
- Monday, 13 November 2017 from 7:00pm to 9:00pm
- Meetup Event
- https://www.meetup.com/NetSquared-Kitchener-Waterloo/events/243067519/
- Location
- Queen Street Commons Cafe, 43 Queen Street South, Kitchener, Ontario Map
- Event Announcement
- Document Storage/Announcement 2017-11-13
How do you store your documents? Where do you store them? What software creates your documents? What software stores it? What software retrieves it? What about document indexing and searching? How do you deal with non-textual documents? What document file format do you use? Is parchment and goose-quill still best?
This month there'll be a shooting match between the Well-Known Format SysAdmins and the OpenStandards SysAdmins. But it'll be a polite shooting match at our round table discussion, with SysAdmins relating their own practices, learning new ones, and telling tall tales.
--Bob Jonkman & Marc Paré
Resources
File Storage | TechSoup Canada
Future Venues
- Communitech has indicated we can no longer use the Jellybean Room on Mondays
- but the room is available on Wednesdays
- but it's only available until 8:00pm
- do we want to switch meeting days?
- Marc will check if there's any availability on Mondays
- but the cost will probably be higher ($15/hr now)
- but the room is available on Wednesdays
- We were contacted by Reg from One King North Map, a coworking space
- Reg indicated that "Also it's complimentary, so you don't have to pay for using our space to hold meetups"
- Marc followed up with Reg and has yet to hear back from him
- Apparently, Reg was unclear in his communication, probability of having access to this venue space does not look promising
- Other possible venues:
- Old school board building (Marc has contacts, will investigate)
- Downtown Community Centre Map
- but they require all KWNPSA attendees to purchase memberships at $15/year
- Paul Nijjar investigated for KWLUG; it was deemed unsuitable for a non-profit group
- Bob's notes indicate there are also meeting room fees, insurance costs, and participants under 18 years old are not allowed.
- Descendants Beer & Beverage Co. apparently has meeting facilities. Kirk will investigate. Map
Meeting Notes
Cloud Storage
- Microsoft Office 365
- Lots of KWNPSA members use Office 365
- Default installation moves documents to US servers
- Microsoft will move documents to Canadian servers on request
- but this may take up to seven years
- Microsoft OneDrive was automatically installed at one organization
- Business version of Skype can't be turned off, once it's installed!
- It is difficult to use Business Skype with non-business instances of Skype
- But there is finally a good GNU/Linux client for Skype, works with multiple video streams
- Google G Suite (Google Docs)
- Used by political organizations
- This seems like a bad idea; want to keep political affiliations and activity away from prying eyes
- Google Drive storage
- Some SysAdmins have seen identical filenames in folders
- Perhaps the User Interface hides extensions or filename suffixes
- Maybe Google Drive uses links or pointers?
- People move files, but they still exist in orginal locations
- Google Mail uses flat storage of all messages, tags on each message are displayed in UI as though it is a folder structure
- Some SysAdmins have seen identical filenames in folders
- Used by political organizations
- Cloud horror stories:
- Company advertising genetic testing services stored data in the cloud
- then sold people's personal genetic data to a pharmaceutical or insurance company
- Genealogy company acquired data stored "freely available" from individuals' web sites
- Now sells this data, and it is not available to the original authors
- Suggestion: "Poison the well" by creating a "Fake Uncle Ralph" to prove authorship (see Wikipedia:Trap street)
- Company advertising genetic testing services stored data in the cloud
- Security risks
- Commercial cloud providers will hand over customer data to authorities
- National Security Letters -- Cloud providers may be compelled to keep this data access from their customers
- Ensure you have a contract with a Service Level Agreement (SLA) that specifies where servers are stored (Canada? US?), how data is routed
- Even if source and destination are both in Canada, traffic may still be routed through US and subject to snooping; Canadian data has no protection when routed through US
- Technical means: Source Routing can specify how a packet is sent through the network (Internet)
- Commercial cloud providers will hand over customer data to authorities
Encrypted File Storage
- Use VPNs to keep remote sites within your own network
- Encrypted tunnels, eg. Secure Shell (sshfs)
- Encrypted file systems
- Encrypted containers
- eg. TrueCrypt (now obsolete, use VeraCrypt instead)
- eg. CipherShed
- TrueCrypt, VeraCrypt, CipherShed are all cross-platform (Windows, MacOS, GNU/Linux)
- eg. LUKS
- See How To Create an Encrypted Drive in a File Container by Bob Jonkman
- eg. FreeOTFE (obsolete) or LibreCrypt provides OTFE (On-The-Fly-Encryption) for Windows that's LUKS compatible
- For any corporate encryption, Additional Decryption Keys are needed
- Any user-encrypted files or containers can be decrypted by the organization's ADK; ensures data is not lost when user forgets password or leaves the organization
- Office 365 encryption
- The culture for Microsoft products is less concerned with encryption (poor adoption of encrypted technologies?)
- Encrypted Backups?
- For backups in the cloud, or on local storage
- Encrypted backups can become un-restorable with minor errors
- Bob recommends making unencrypted backups, then saving them in an encrypted container; even better to keep unencrypted backups physically secure
Sharing Files
- File permissions
- Staff doesn't know how to use filesystem permissions, makes all files globally read/writeable
- Use a Document Management System to assign authorization to documents
- Access control with a DMS can be more finely tuned
- DMS also provides benefits such as metadata and search/indexing
- but it needs the skills of a librarian to properly catalogue documents
- and a DMS adds another layer of abstraction; more work for the SysAdmin, more to go wrong
- Physical file systems (file cabinets, folders) were treated better by staff than digital file systems
- Using Roaming Profiles for shared file access
- SysAdmin can force desktop computers to put "My Documents", "My Pictures" &c. on the server for shared and secure storage
- Doesn't work for Windows' "My Desktop"; that folder appears to have special privileges, but we don't know how
- Can "My Desktop" or "My Documents" be made read-only to force staff to use server storage? Doubtful
- Thin clients don't store data locally
- Use the Browser Local Storage? (please, no)
- "Libraries" feature in Windows can combine several folders (from different sources) into one
- SysAdmin can force desktop computers to put "My Documents", "My Pictures" &c. on the server for shared and secure storage
- Commercial applications for managing roaming profiles: Micro Focus ZENworks (formerly NAL, Novell Application Launcer); Intel LANdesk Manager, Computer Associates
- Staff gets easily confused with shared filesystems
- Folder tree changes, filename and foldername changes
Storing Binary Files
- Music Files, photos, video, CAD drawings, &c.
- Using Google Drive is not efficient for binary files, better to keep on local (non-cloud) storage
- Post-production for music can't be done online
- Cloud services need cloud-based client software to manage binary files
- Google Docs does not have a good music client to manage music file for an orchestra
- But Google Docs has good photo apps
USB Sticks or Thumbdrives
- How to prevent the use of USB drives?
- Physically hotglue the USB ports on organizations' computers
- Pop up a warning to the user when USB device is inserted
- Lock the computer when a USB device is inserted
- Worried about "Parking Lot USBs" (USB drives found in the parking lot, may contain malicious payload)
- Physical attacks through high-voltage discharges (see https://usbkill.com/ )
- The only protection against physical attacks is physical protection
Future Topics
- Document Management: There are specialized software tools to manage your documents, provide version control, allow staff to checkout documents for exclusive access, and to provide indexing and search tools. What do you use?
- Encryption How do encrypted file systems work? Demonstration/Workshop on creating encrypted file containers.
- Microsoft Evening (do they still provide sponsorship? Marc will check with Eli)