Blockchain, Cryptocurrency, Consensus tokens, Russia and AMS systems

tendenci cloud security monitoring

The headline is ridiculous. But I couldn’t make this up in my wildest dreams. Yes, cryptocurrency, blockchain, and association management systems (AMS) are all interconnected. And the primary connection is Russia.

Stay with me for a second, get a cup of coffee, and read on.

First cryptocurrency isn’t a thing. It’s two parts. I try to explain cryptocurrency like this:

  1. BlockChain = Clipboard with a piece of paper. You check stuff in and out until you are out of paper. Some clipboards have more sheets of paper than others.
  2. Scarcity – Scarce object = some mathematically difficult to produce number. Or controlled by an authority like the Private Federal Reserve in the US.

Picture a clip board. And you are checking in and out some token. That token only has value if it delivers value. And the best way to determine that is really a classic economics popularity contest.

Note: This author does a GREAT job of explaining concensus capital: https://medium.com/@tompocock/consensus-capital-part-1-dff72ba39a63

These are not tulips. Blockchain is a tech that will disrupt everything from how we do a Turn-Around at the Olefins units at LyondellBassell, to how BP manages wind farms, to how carfax will be disrupted by a VIN blockchain startup.

What does this have to do with Association Management Systems?

Believe it or not, they are intertwined. So be careful on your selection of crypto for smart contracts. I’d recommend looking at HyperLedger  (https://www.hyperledger.org/) as an alternative to Russian Bank backed by Dmitry Buterin and his son Vitalik’s Ethereum .  ( https://futurism.com/ethereums-founder-struck-a-deal-with-a-russian-bank-to-create-ethereum-russia/ )

Not everyone in the crypto community is fond of Ethereum and Russian owned AMS Wild Apricot, now Personify, even in the crypto community. ( https://medium.com/@rateico_32282/how-much-would-you-sell-your-homeland-the-secret-of-ethereums-success-748f0b763c62 )

 

If you can’t access the code, self host if you want, and export ALL of your data when you want, well, why not? Why does anyone in the NonProfit / NPO / NGO / Association Management space tolerate that in 2018? It is 2018, right?

If you signed up with a company where the deal was “too good to be true”…. um…. ya, think that one through again. They have to pay people, so they are either funded by someone, or they are selling your data.

YOU are part of the problem with InfoWars and Propaganda in the US. (is that too blunt? Nope.) For example: Wild Apricot / Personify.

Wild Apricot, Russia, AMS
25% of American Constituents in Russian Backed Wild Apricot

Ethereum is at least open source ( https://github.com/ethereum ) so you can view the code. With the exception of Tendenci ( https://www.tendenci.com ) and CiviCrm, ( https://civicrm.org/ ) most AMS vendors aren’t open,  not even ones created and financed by Russia and the Chief Apricot ( https://www.linkedin.com/in/chiefapricot/ ), who is also coincidentally the father of Vitalik himself ( https://twitter.com/VitalikButerin ).

On the plus side, after years of joking about it, for once we can legitimately blame Canada and their dual-citizenships.

We’re building a wall with Mexico and allowing Russian company’s interests to mine Uranium ( https://www.csmonitor.com/USA/Politics/2017/1114/What-s-the-real-story-behind-Hillary-Clinton-Russia-and-uranium ) in the US. And Russian programmers to control 25% (according to the Personify web site https://personifycorp.com/ ) of US Constituents like Washington’s League of Women Voters ( https://leagueofwomenvotersofwashington.wildapricot.org/issues ) .

And then we act surprised that Russia is meddling in our elections and knows know how to target voters.. Baroo?

These are strange times. But yes, Canada? I’m looking at YOU!

And as a reminder, as if y’all needed me to state this again, but we strongly encourage you to use an OPEN SOURCE solution with transparency. If it’s Tendenci, WordPress, Drupal, CiviCRM, Joomla,

Just please stand up for what’s right.

Demand access and transparency.

Tendenci is a movement.

Tendenci is a community committed to open association technology.

Global. Multilingual. Collaborative. Positive. Respectful of your privacy and functional at a level as you would expect from a product approaching 20 years old.

Associations are Powerful – and therefore Targets for Hackers

Associations are very powerful, particularly in America.

Think about it. Your Doctor is approved by the American Medical Association. Your Attorney is approved by the American BAR association. Your Accountant is approved by the American Association of CPAs (certified public accountants).  A person’s license /certifications may be “recognized” by the government, but ultimately it is a group of peers that form the association.

Americans of all ages, all stations of life, and all types of disposition are forever forming associations… In democratic countries knowledge of how to combine is the mother of all other forms of knowledge; on its progress depends that of all the others.

– Alexis de Tocqueville – Book Two, Chapter V. (source)

This may sound philosophical, and we’ve blogged about this before, but it’s important for associations to remember just how much power they have.  And with power comes great responsibility.

YOUR ASSOCIATION IS A HACKER TARGET

Why? Because it’s logical.

If you were a dictator in a country that had sanctions against it, I dunno, maybe they didn’t allow US Companies to help you drill for your oil reserves and you lacked the technology to do it yourself, wouldn’t it make sense to go after an association of accomplished professionals in that area?

St. Petersburg IP Address Alerts
Security Alerts with  IP addresses (listed as) St. Petersburg Targeting Associations. NOTE: IP Addresses are easy to fake so it could be a false positive.

It sounds horrible, but it is logical in a Machiavellian kind of way.

A story for y’all. I was talking to a client who had a Tendenci Open Source AMS site for a group of students at universities in the liberal arts. He said

nobody is going after English majors“.

“Oh really?” I asked.

Then I asked If any of his students attended X University (really I could have picked any University). He said “yes.” I pointed out that exact University also has extensive Chemistry, Energy and Engineering programs that do cutting edge work.

My point was if you can do spear phishing on a student to get closer to an Engineering Professor with expertise in Directional Drilling, wouldn’t Russia be interested in that? Would North Korea be interested in obtaining information on the latest tech in chemistry? Of course they would.

Those countries might not even be directly doing the hack attempt. But a entrepreneurial hacker knows there is a market for that data. Would Russia buy it? Yes. Would the US buy it? Yes.

My point was simply that if you can infect the computer or phone of one student, any student, then you can get into the network. And then move laterally. You are in.

Again – to the POWER of ASSOCIATIONS:

Americans combine to give fêtes, found seminaries, build churches, distribute books, and send missionaries to the antipodes. Hospitals, prisons, and schools take shape in that way. Finally, if they want to proclaim a truth or propagate some feeling by the encouragement of a great example, they form an association. In every case, at the head of any new undertaking, where in France you would find the government or in England some territorial magnate, in the United States you are sure to find an association. I have come across several types of association in America of which, I confess, I had not previously the slightest conception, and I have often admired the extreme skill they show in proposing a common object for the exertions of very many and in inducing them voluntarily to pursue it.

– Alexis de Tocqueville – Book Two, Chapter V. (source)

This is not to scare users of any association management software. It is pointing out facts and hopefully increasing awareness among NGO technology professionals, association executives, association leadership and in fact (hopefully) the whole country, that there is a serious vulnerability if not addressed seriously.

ALERT: Fruitfly/Quimitchin malware for Mac in the Wild

darkreading malware for mac article

Mac users, particularly in academia or the biomedical or academic field. Be aware of the Fruitfly/Quimitchin malware. It includes a keystroke logger, accesses your cam, takes screenshots of your desktop frequently which are then  uploaded, and more. What to do:

  1. Learn about Quimitchin malware at https://www.darkreading.com/partner-perspectives/malwarebytes/meet-fruitfly–mac-malware-targeting-biomedical-research-centers/a/d-id/1327953
  2. Put a sticker over your camera when not in use. I am a member of EFF and put one of their stickers over your camera.
  3. Install an antivirus like Avira Antivirus for Mac (only from official site or app store). If you can afford it, support them by buying their products.
  4. Install Malwarebytes or a similar anti-malware program (only from official site or app store)
  5. Use different passwords on different sites. Variations on a password like “Smoking Chair Hat5!” is far better than “zds9bhy4@”. It’s just statistics, you won’t use the second one because you can’t remember it. Just change the first one a bit every time for each site. Password crackers can’t “partially” crack a password. Plus we use Rainbow tables anyway.
    1. Remember, if you have a keystroke logger installed, then how complex your password is, well, irrelevant. Therefore first clean the computer. Don’t think Macs or Linux can’t be infected – they can and frequently ARE.
  6. Use common sense and DON’T CLICK THAT LINK IN YOUR EMAIL.

Stay alert folks. Because they really are out to get you. That’s not paranoia, it’s just reality unfortunately.

 

installing lynis on ubuntu 16.04 notes

auditing linux security

Security auditing on Ubuntu 16.04? If not you should be. One great tool you can use in your arsenal is Lynis security auditing. Yes this is completely redundant with OSSEC wazuh and third party Cloud Trail audits, but there is no harm in triple checking.

Why the paranoia? Because you can’t completely rely on any one system imho so human spot checks, particularly on your endpoints (or honeypots #heh) is an essential part of the process. Plus at AWS you can create a temp “hot” AMI and tear the thing apart while it is in an ACL/Security Group cage, and then delete it without an attacker ever knowing.

Regarding Lynis security auditing, the ubuntu apt package for lynis (e.g. apt install) is still on version 2.1 and the current version is 2.6. First off 2.6 is much faster. Secondarily it gives a lot fewer false positives on Ubuntu 16.04.

My notes from:
https://packages.cisofy.com/community/#debian-ubuntu

# auditing -posts age CHECK THE LINK ABOVE
sudo su
apt install lynis
wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -
apt install apt-transport-https
echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations
echo "deb https://packages.cisofy.com/community/lynis/deb/ xenial main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
apt update
apt upgrade
lynis show version

Again – check your version! Note I specified xenial in my notes, because that particular server is on xenial. You might not be. Read the Lynis docs. And happy auditing!