IMC Security Working Group

About

IMC Security is an information technology (IT) security related working group. It is non-public and non-archived, but subscription is possible if some requirements are met (see Policies).

Intentention, goals and responsibilities

The idea to establish an IT security related global working group has been discussed a couple of times on the various tech related mailing lists and chats. So far, both IMC tech and private conversations have been serving this purpose. However, there always applied limits on trustability of audience and transmission methods, so either topics could not be discussed in detail or with just a small set of people in a very intransparent way which would also not provide an option to pass on achieved knowledge and experiences.

IMC Security is supposed to serve the following purposes:

• Discussing security best practice techniques
• Providing (and announcing) How-tos and tutorials to the global IMC tech community (through the IMC documentation project/Wiki and the imc-security-announce or imc-tech mailing lists)
• Increasing knowledge on and elaborating solutions for Indymedia-related IT security issues
• Building and maintaining a core community of people who trust each other, ideally a group of people with a tech background who can be considered trustable and reliable within the whole network

Things this working group must not serve for:

• Adding another layer of technocratic hierarchy
• Building a closed tech elite
• Drawing attention off the general IMC Tech working group

The IMC Security group's goal is to support people with technical skills in creating and maintaining a more secure Independent Media Center Network. The security of the network consists of a few major components:

• The network connections of the servers which run the network
• The operating system software of the servers which run the network
• The software which runs Indymedias services such as web sites, email, mailing lists, database clusters, backup servers etc.

To increase the security of these various components, the imc-security group has the following responsibilities:

• To disseminate information, via the imc-security-announce list, of critical vulnerabilities for the operating systems being used on servers in the network. (is this true, or should we expect admins to subscribe to the lists for their distros?)
• To provide guidelines for "best practices" when configuring the operating system software for servers in the network, for example web server, ssh and logrotate configurations.
• To collect information about vulnerabilities in IMC CMS software, find patches for these and then distribute the fix information on the imc-security-announce list

Documentation

The security documentation made available by IMC Security is located at ImcSecurityDocs.

Mailing list

Information on the IMC Security mailing list is available at ImcSecurityMailingList.