(+1-718-303-3204) and press 6, conference 1 ​https://live.mayfirst.org/mexcla/en/1

Agenda Items

• movim -- on im.mayfirst.org i.e.=> pod.movim.eu
• dovecot transition plan
• Drupal vulnerability
• Report on DDOS and exiting vulnerability

Random notes

movim. Like a social network over xmpp. Doesn't support ostatus. mv has been experimenting with it. Jamie would like to see us experiment with movim on im.mayfirst.org. PHP-based XMPP web interface, with social network abilities. Blog + pub sub. No OTR (not sure how OTR would work over the web, since you'd have to have the fingerprints locally). mv has been playing with movim, though not sure if we should adopt it. If we experiment with it, probably worthwhile to have a development XMPP server. Dev environment brings up a bigger question: switch from ejabber to prosody as XMPP backbone. prosody.im has better security. Could do prosidy + movim in a dev environment.

Create im.dev.mayfirst.org with movim to test, and eventually move to im.mayfirst.org? movim doesn't need to be on same server as XMPP service. movim could be installed as a regular hosting order on the mayfirst.org memership.

dovecot. We use a pop server called courier. it is fine but we have had members who have problems with slow access to inboxes and time outs on web mail. Dovecot does some indexing that could alleviate some of those performance problems. steve is working on this

dovecot plus lmtp for local delivery plus sieve -- that's our target configuration

This is something that would be easy to set up on a brand new mosh, but what about the transition plan? It might be too early to discuss until we get a new mosh set up with it.

Dovecot understands maildir. There is mailbox conversion process that needs to happen. It seems to be an issue of changing file names for the most part.

There are a couple of quirks in the migration process. 85 people have maildrop rules, and we'll have to communicate that those rules won't work with dovecot; they'll need to convert them. An automated rule translation might be tricky. We might have an system rule to send it to a junk mail folder and tell people they have to convert mailbox rules to sieve. It might be time to make the new mosh and move on it. We can test it for a few weeks and choose an exisiting mosh and test it. Possibly Chavez. Pick and existing mosh to test, third to transition.

drupal vulnerability. Two weeks ago, there was probably the most serious drupal vulnerability ever discovered. A SQL injection vulnerability, exploitable by anonymous users. Most members use our central drupal installation; this allows us to upgrade drupal, which has the effect of upgrading all members sites. We upgraded w/in three hours of the vulnerability announcement. The vast majority of our members should be safe. There are members that don't use central drupal installation. There are 160 drupal 7 databases are not running drupal 7.32 -- potentiall 160 websites vulnerable to exploit. malcolm had 7 databases that were identified as vulnerable, but only two were connected to active drupal sites. If you've adopted a mosh, please check that mosh for un-upgraded D7 sites, and use drush to upgrade. Just go ahead an upgrade. There's a wiki page with more information on how to check for and upgrade these sites. Would like to have this done within a week. Phase II - try to determine if any of our D7 sites have been compomised.

Is there any preparation being made for Drupal 8, which comes out next year?

Haven't done anything related to Drupal 8. At very least, we'll need to make sure that D8 can be installed via control panel. Need to learn more about what's coming up in drupal 8.

DDOS. One of our members has been campaigning for divestment in companies supporting occupation of palestine. They've been very successful recently. It's given their website lots of publicity, and some folks decided to attack it. In this case, attacker repeatedly saturated our entire connection at one of our colos. Saturating a colo means taking 50% of our members offline.

deflect: service to help protect political web sites from DDOS. That helped in this case.

Bigger problem: an attacker can take half our members offline with a DDOS attack. How do we protect members, if an attacker can take down one of our two colos.

In June, MFPL organized a 1-day gathering with APC. Did a day-long session and DDOS attack. People behind deflect were there.

Everything that deflect does is based of FOSS software, and they publish exactly how they set up their deflect network. Started working on how we can contribute servers to deflect network, and how we can use their software and configuration to set up our own deflect network.

Latest attack was on dorothy itself, and dorothy's IP address was null routed. It was a UDP attack, and fairly sophisticated.

How does deflect work? They only protect websites. They take over DNS authority, and point A records to their servers, which run some sort of caching software. These servers also run software to detect attacks, and to mitigate them.

The UDP attack - we think they determined that the mail server was dorothy (via MX records), and they decided to attack dorothy. If our link is saturated, we can't get in to do diagnostics. HE null-routed dorothy's IP, until we called them and asked them to remove the null route.

Are those servers safe now? Dorothy is back up and running. After moving our member behind deflect, they continued to receive DDOS attacks, but deflect was able to stop them.

Other Items

Libre Planet. Held every year in boston. Next one is March 21--22. Boston group is trying to put together a presentation proposal. Would also like to reach out to ex-offenders, to teach free software for skill training. Continue to do classes at Boston's south end tech center.

Techie of color program. Would like to continue the project, but we can't do it without funding. Perhaps Ben & Jerry's could be a source of funding (Movement Resource Group). It's grant funding.

There's a Boston interpreters collective. They might be helpful for organizing free software classes to spanish speakers.

Is there more wheezy upgrade work to do? Remaining squeeze servers were switched to long term support, so security upgrades aren't an issue. Have maybe a dozen squeeze servers. A few old servers are for members that need old php. Others are servers that we haven't gotten to. Jamie will put together a list of servers to upgrade. Would be nice to finish the squeeze -> wheeze upgrades, before jessie was released.