Jun 28, 01 / Jun 17, 17 18:30 UTC

Basic Levels of Security  

My initial observations are that there is plenty of room for improvement regarding basic security.

I'll try to refrain from turning my first post into a rant of ALL observations, but I will start with a few things very basic.

> User Authentication: The initial registration process does not allow the user to set a password of their choice. This is okay, but the initial password (which is emailed so should not be considered secure) needs to be changed at first login. In fact registration should time-out and not considered valid until this initial password has been changed, limiting access to only the completion of the registration process. NOTE: Voting is allowed prior to the completion and verification of the registration process. This can make the voting process invalid as it is not required to validate registration from a unique email address prior to voting.

Two factor authentication also needs to be at least an option. Many people tend to re-use passwords or have very week passwords. Also the fact is that some Asgardians subscribe to many forms of public media sites whilst using the same username and password; if any of those sites become compromised the use of a static password becomes a problem. Multiple forms of two factor authentication exist therefore there should be multiple options (YubiKey, Duo, Authy, Onlykey, etc. )

> Password Storage: Simply put; the following should be a guideline -https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

> Data at rest/transit/use: Data needs to be encrypted in a way which prevents all or parts of data in a database from being exposed if compromised. One solution that may be considered is ZeroDB / NuCypher.

Asgardia, if not already, will be a target by not only drive by attackers but also Nation State actors. Due diligence will need to be adapted as soon as possible to ensure current and digital security. Espionage, sabotage and drive-by attacks will be some of the purposes for Asgardia to come under digital attack. We must be ready.

Other parts of this same discussion:

> Security Auditing and Penetration Testing need to be scheduled on a regular basis and need to be built into pre-release process of all public and private networks and applications.

Asg 3, 01 / Jun 20, 17 19:52 UTC

Agree on all of your points. The lack of ability to change passwords coupled with it being sent in clear text via email is concerning. Really makes me question the rest of the security practices such as encrypted storage, salting, etc. How secure is the database that's used to store the personal information collected during registration? A potential SQL injection attack and you've given up information on 200,000+ people.

Asg 5, 01 / Jun 22, 17 17:54 UTC

You can not just assess the security of the database. To avoid any leakage, it is necessary to regularly check all the parameters for safety, and I think that this kind of scanning should be carried out by a group of specialists, rather than 1 person, since this is, in part, a creative work and every specialist has His own individual approach.

And do not forget that SQL is not the only possible vulnerability, potential vulnerabilities are complete, and scanning should occur REGULARLY!

Asg 10, 01 / Jun 27, 17 09:46 UTC

Fully agreed, I find this concerning and should be a top priority topic.

I hope the whole asgardia tech stack will be fully publicly auditable in the future.

Asg 10, 01 / Jun 27, 17 14:54 UTC

Agreed, if he's sending passwords out in cleartext then he's storing them similarly, we may need to replace the current coder(s)

Jul 26, 01 / Aug 10, 17 11:07 UTC

I agree.

Do we know who is responsible for the digital security of Asgardia? Is She/He reading this? I think it would be a good idea to form a group af digital security to test and improve the level of security we have.

Oct 23, 01 / Oct 30, 17 06:20 UTC

https://asgardia.space/en/petitions/17778-hackathon-3901-voting-system/

Nov 25, 01 / Nov 29, 17 14:40 UTC

I would also encourage the move of the community and government forum aspects of Asgardia's site behind and onion address. I know TOR browsers may not be the most convenient for some people, but given the propensity of the US to monitor all web traffic, not doing so is simply asking for our communications, private and public, to be monitored. Likewise hosting Asgardia's resources on an IPFS cloud will allow our resources greater resilience to natural disasters, network failures, and distribution efficiency. 

Dec 4, 01 / Dec 6, 17 08:29 UTC

That said, cybersecurity of user data should be a security and it's concerning that nothing has been done on this subject yet. Supposedly we're electing Members of Parliament who'll be responsible for the legislature and will select members of the judiciary. We'll also start electing the head of government (executive) within 5 years. We're only at the third level of registration and soon, with the 4th level upon us we'll need to provide even more information. How is our data being secured? We have no idea, as far as we're aware it's all being stored in plain sight without any sort of encryption or salting. It's worrisome that a nation basing itself on space and digital technology, arguably the most forward looking one, isn't setting up basic protections for its citizens.

Also, I agree with Lila, we can both continue to use this site and set up an onion service.

Dec 8, 01 / Dec 10, 17 00:57 UTC

I have volunteered to assist where possible with any cyber security initiative within the Asgardia realm. As a practicing cyber security professional over the past 30 years and reviewing the site, application, elections and other areas,  I have noted many observations as well, many noted here, many others not mentioned that need to be addressed.  

Dec 25, 01 / Dec 27, 17 22:31 UTC

I think there should be a group to probe and pick at security to show exploitable weakness 

Mar 8, 02 / Mar 5, 18 18:22 UTC

@rdbrown: excellent list to address.  Basic testing of the site makes it clear much of this is not yet done.   As multiple skilled individuals have offered to volunteer their time, at this point the only obstacles should be qualifying / certifying the human resources and overcoming any financial hurdles presented by the technologies or services required to achieve these items.  As it's been pointed out in this thread Asgardia is likely to be a target for a variety of actors for many reasons, thus we cannot afford to cut corners for the sake of cost (despite having little or no budget).  A tough nut to crack, but not impossible depending on how much trust we place in the corporations providing the aforementioned services.  Many nation states have the same issue to contend with however so we are not alone in that decision, and there is some precedent to work with.