Privacy and Security
Category : SecureOffice
Published by xoops on 29-Nov-2020 17:20

Table_of_Contents

1    Your Information is Valuable to Snoops

2    Information Protected by SecureOffice

2.1                Telephone Services

2.2                Email Server

2.3                Web Servers

2.4                Cloud Storage and File Sharing

2.4.1      NextCloud Server

2.4.2      External Cloud Storage

1    Your Information is Valuable to Snoops

Those who pay attention have heard reports of massive security breaches of customer data from large service providers. This data is collected by hackers and, in many cases sold to third parties for the purpose of email and phone telemarketing (spam), identity theft (bank accounts, credit cards). There is also the "problem" of the security state collecting (and recording) massive amounts of data including phone calls, browsing history, financial transactions. This basically amounts to perps "casing your joint". Something you may have said in a phone call years ago may be misinterpreted by the "powers that be", part of a campaign to bring you down, or extort you. Politicians, influential and wealthy people are particularly vulnerable to this risk.

"Knowledge is power". Knowledge (may be falsely alleged, by some) is used is to seek power over and exploit others, given that "rule of law" and free expression has been rationalized away by "rule of some men, enslaving others".

If you have nothing to take, you are safe and can live a life of freedom from everything except ignorance and want. As Janis Joplin opined "Freedom is just another word for nothing left to lose".

If you are a productive (responsible) person, you are a potential target. The fruits of your labors (wealth, property) are coveted by those with no end of rationalizations regarding why your property is theirs, or thugs, who need no rationalizations apart from their alleged needs / entitlements trump your rights.

If you own a business, with sensitive data and trade secrets, your information is extremely valuable to competitors and a target of industrial espionage.

For the purpose of discussion, information falls into three classes:

  • Factual, measurable, provable.
  • Speculative, perceptual manipulation of facts.
  • Completely false, alleged to be truth by self-alleged "experts".

Any information can be speculated on and used to draw you into very risky / expensive legal action. Best to leave as little provable information as possible for those who desire to use it against you.

Information, factual or speculative can be used to extort you, especially if you are influential (wealthy, public figure, bureaucrat, judges, etc.)

The most basic argument for using SecureOffice to locally protect and store your communications and information is one of self-defense. Who is more trustworthy and diligent regarding protecting your information space? You, or, third parties?

Your home and property is your castle, harder to breach. The law alleges that it recognizes this basic fact. Third party service providers have their own concerns and are more prone to sacrifice your information privacy (better you than them), when threatened or placed at risk. Further, if third parties are under order to provide information, many such orders are wide ranging and your information may be disclosed as part of such "fishing expeditions", making you collateral damage, or at least risking being placed in a legal defense position. Such orders also allege that it is a criminal act to notify you or anyone that you are under surveillance and information has been demanded.

By locally managing and protecting your information space, you have at least insured that your information will not be disclosed by a successful security breach of your service providers. Anyone interested in your information will have to individually identify and target you, avoiding you becoming collateral damage to third party breaches and fishing expeditions. If the security state demands your information, they will have to deal with you, as opposed to not knowing that you are under investigation. It is also a simple matter of economics ("proceeds of crime" / effort). It is far more efficient for criminals to target large service providers and gain much information, than it is to target you and gain little information. Managing your own information space keeps you from being "low hanging fruit". You have been warned.

2    Information Protected by SecureOffice

By locally hosting your services (file sharing / storage, databases, websites, phone system, emails, etc.), your information is inherently better protected from the following risks:

  • Disclosure by third parties as part of a blanket fishing expedition by "authorities", hackers and identity thieves.
  • Technical or business failures by service providers causing access interruptions and loss of information. You should at least guard against loss of data by keeping local backups.
  • Each service hosted in the cloud must take security precautions on a per-service basis to protect data in transit over the internet as opposed to securing the periphery between your information space and the internet.
  • With cloud based services, it cannot be guaranteed that only you and those you authorize are the sole parties with access to YOUR information.

2.1                Telephone Services

The reports regarding massive phone tapping and recording by the surveillance state are TRUE. States appear to believe that your private business is theirs (or, in general, YOU are their property, to be used as they see fit). If you disagree, you should DO something about it.

The SecurePBX phone system can, out of the box encrypt all phone calls, assuming the remote party has an encryption capable telephone, many of which are free PC and Android applications. Currently, the SecurePBX (FreeSwitch / ZRTP) call encryption is unbreakable. The only information that snoops can collect is the IP addresses participating in the phone call and when.

If you consider it important to hide who you communicate with and when (dissident networks, etc.), this is possible by configuring a VPN connection using SecureOffice which remote phones / extensions can use for connection to SecurePBX. It becomes unknowable by hackers whether or not phone calls are being made and between who

The developer and a close group of associates has been testing / using SecureOffice / SecurePBX for several years.

2.2                Email Server

Email is the dominant method that hackers and other snoops use to gain access to your information, insert viruses, malware, ransomware, and spyware. Even with a properly configured local email server to prevent third party access to your sent / received emails, precautions need to be taken on your email client PC's, including antivirus. An overview of the risks and safeguards that need to be taken is available here: Email Risks and Precautions. It is also worthwhile to do an internet search: "email security precautions".

Using third party email servers to send / receive email such as your ISP, Gmail, Hotmail, etc. is a security risk, even if you use email encryption such as PGP, for the following reasons:

  • Your emails are stored on third party servers. Even if emails are encrypted, information regarding who you communicate with is stored indefinitely, risking third party access, including "fishing expeditions".
  • Many ISP's block the ports (Unencrypted SMTP: 25, 2525, Encrypted SMTP:465) required for sending emails, to avoid being blocked and blacklisted for spam blocking purposes. ISP's usually provide alternate ports for sending emails, so they can detect spam and blacklist the spammer, rather than being blacklisted themselves. This means that your ISP is able to store your sent emails. For security, it is recommended that you determine whether or not your ISP stores sent emails. If yes, or you do not trust them, best to either get your ISP to unblock the ports required for sending email (so you can send it directly to the recipient without intermediate servers), or find a third party SMTP Smarthost provider which uses unblocked ports and guarantees that they do not store sent emails.
  • The ports (Unencrypted POP3: 110, Encrypted POP3: 995, Unencrypted IMAP: 143, Encrypted IMAP: 993) required for receiving emails are not normally blocked by ISP's, since spam is controlled during send. This means that you can locally run your own email server and no third parties are able to intercept and store your received emails.

An overview of email servers is available on Wikipedia: Email Servers.

It is possible for email server applications to be created for SecureOffice, but that would also require keeping spam filters and anti-virus packages up to date to handle new threats. A better alternative is to run your email server in a virtual machine with automatic updates and much easier configuration. Sme-Server (free) is recommended for this purpose.

SecureOffice uses VmWare (licensed application, $) to host virtual machines. Instructions for installing and configuring VmWare and Sme-Server are provided.

2.3                Web Servers

If you use a third party hosted website with any of the following characteristics:

  • Requires Authentication: Hosting providers can access your site and proprietary information without authentication.
  • Registered users. Hosting providers can access your user database, get access to your user information for identity theft, spam and other purposes.
  • Customer database: Hosting providers can access your customer records for purposes of credit card fraud (identity theft) and soliciting your customers.

Your site may be hacked, spoofed, re-directing pages (such as registration or credit card entry) to other sites to collect information.

In general, without full local control over who can and cannot access your site, you are at risk.

Hosting your own website allows full control over access and security.

Websites can be directly hosted using SecureOffice, or, indirectly using a VmWare virtual machine, running on SecureOffice.

OpenWrt documentation outlines the webserver packages available for OpenWrt / SecureOffice: OpenWrt WebServers. SecureOffice uses and recommends the Nginx webserver.

This website and the developers email server use a Sme-Server virtual machine running on SecureOffice and has for several years.

Installation instructions for (licensed application, $) VmWare Workstation and virtual machine installation is provided on this site.

2.4                Cloud Storage and File Sharing

An Overview of the risks posed and precautions required if you use third party cloud storage and file sharing is here: Cloud Storage Risks. Much more information can be found by an internet search for "cloud storage security risks"

By using SecureOffice for local storage and file sharing, you have total control over what information is shared and, with who.

2.4.1      NextCloud Server

It is recommended to install NextCloud or equivalent to meet your local cloud storage and file sharing requirements. NextCloud is available (as a docker container) for SecureOffice: package details.

2.4.2      External Cloud Storage

SecureOffice provides access to third party cloud storage for those willing to take the security risks or desire it for storage or sharing of insensitive or encrypted data.

RClone provides access to Google Drive, Amazon Drive, S3, Dropbox, Backblaze B2, One Drive, Swift, Hubic, Cloudfiles, Google Cloud Storage, Yandex Files and many other cloud storage services. RClone is available for SecureOffice: package details. General RClone information is available here.