G0OZSWiki
Iain Moffat's Radio Website
view edit history print
SearchWiki

only moffatig.plus.com


Site Menu

Radio

Military Vehicles

Photo Library

Google Search

Admin (Password Required)

Main » Security

Security and Privacy Policies for moffatig.com

NOTE: This version is for the UK Data Protection Act and is being reviewed to ensure compliance with the EU GDPR before it is implemented in April 2018.

Contents

  1. Introduction
  2. Server security policies
  3. Unix Shell User security policies
  4. Mailing List security policies
  5. Forum security policies
  6. File Hosting security policies
  7. General End User security policies for all access
  8. Privacy policies

1. Introduction

This document sets out the security policies for the web and mail servers, forums and wikis at moffatig.com and moffatig.plus.com . This is a public document so the detailed implementation of technical security measures is not appropriate here. Please contact the site owner or your e-mail list moderator if you wish to discuss these directly.

Please note that moffatig.com is hosted on virtual servers and backed up on cloud-based storage. As such it is no more secure than the providers of these services. End Users are advised not to post anything containing personal data through e-mail lists or upload any files containing personal data to servers @ moffatig.com.

The moffatig.plus.com servers are physically under the owner's control and protected by CCTV with motion alarms. While they are backed up to a cloud service the data is AES encrypted with a 256 bit key known only to the owner and changed daily.

This system must hold in order to function end user's e-mail addresses and in the case of list or web administrators and forum members a username and password. The IP addresses of all connections to this system are logged and retained for the life of the system or until disk space runs out.

Nothing in these policies is intended to take on the responsibility of organisations using services hosted by moffatig.com and moffatig.plus.com to consider their position as data controllers under the UK data protection act and to notify in their own name and implement appropriate security privacy and data access policies for data hosted elsewhere than on the moffatig.com or moffatig.plus.com servers. For the avoidance of doubt the owner acts as a data controller for the Wiki and his own websites but is a data processor for forums, email lists and static websites hosted on behalf of other organisations.

2. Server Security Policies

  • The basic security model shall be Deny All / Permit when necessary
  • All admin access to moffatig.com servers shall be password protected
  • All admin access will be by SSH if technically possible or secured by IP address restrictions to trusted hosts if not.
  • A check for the availability of new patches will be done at least weekly and any found will be installed. The owner will subscribe to email notification for patches where it is available.
  • Other than Web and SMTP Mail all network services will be restricted to access from trusted IP addresses.
  • Access to all web applications will be password protected.
  • All shell level users will have personal accounts and no shell or FTP accounts will be shared.
  • Any application requiring a shared password may only be reached by logging in to a personal shell or web account first.
  • A host intrusion detection system will be installed with alerts sent to the owner by email and logs backed up to a remote machine.
  • E-Mail access shall be managed on a deny all/permit trusted basis
  • SSH trust relationships will be constructed so that access to one server does not provide root access to the other without authentication.
  • The root password will be held by the owner alone.
  • (S)FTP accounts will provide access only to the owner's file space and subdirectories thereof
  • All (S)FTP Uploads will be logged.
  • All Passwords will be at least 8 characters and not dictionary words
  • The root password shall be changed from time to time
  • Security violations leading to data loss or a risk to end users shall be reported to the affected end users without delay.
  • Attacks on the system which require amendment to the security policy or implementation will be notified to file hosting and list administrators.
  • Planned outages will be notified to the forum, wiki, file hosting and list administrators at least a week in advance. They should decide whether to notify their end users.
  • As much notice as possible will be given of unplanned outages to the forum, wiki, file hosting and list administrators. They should decide whether to notify end users.
  • Good practice in UNIX security will be followed by the owner having regard to RFC2196 and the NSA Guide for the secure configuration of Red Hat Linux 5 http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf with adjustments for this being essentially a single host and the restrictions imposed by the virtual server environment in which it is hosted.
  • A technical file will be prepared documenting departures from the NSA standard and the reasons for them which will be available to parties with a legitimate interest on request.

3. Unix Account Security Policies

  • Access to UNIX accounts will be granted for specific purposes
  • Access to UNIX accounts is limited to the purpose for which they were set up as notified in the welcome message.
  • Users will be notified of the password and the purposes for which their account can be used at the same time
  • Users should not keep the username, server address and password recorded in the same way in the same place.
  • All logins will be recorded along with the time and remote IP address
  • The operating system keeps a history of recent shell commands
  • UNIX users may upload only content relevant to the purpose for which their account is issued, which is lawful to publish in the UK, and which will not create issues of privacy or consent if made available to the internet as a whole.
  • UNIX users are prohibited from accessing, or attempting to access, other users' data.
  • UNIX Users are responsible for what they upload.

The owner reserves the right to suspend or remove any UNIX shell or FTP account without notice if any security risk or legal risk is suspected, and to delete any content presenting such risk.

4. Mailing List Security Policies

  • Mailing List administrators shall have personal web logins to ensure an audit trail for changes to the DADA Mail configuration and user base
  • Users should not keep the username, server address and password recorded in the same way in the same place.
  • All access to the DADA Mail configuration is logged
  • An archive is kept of all messages sent through DADA
  • All E-Mail addresses registered in DADA are the private property of the end users and must not be published outside the list membership.
  • Protection of E-Mail addresses or lists downloaded from the server is the responsibility of the list administrator. Use of password protected files or storage in locked furniture is advised.
  • Mailing List Administrators are prohibited from accessing, or attempting to access, other users or list's data and messages
  • Mailing list administrators are responsible for placing abusive users on moderation, preventing the posting of inappropriate, illegal, or abusive messages through their lists
  • Mailing list administrators must notify the system owner immediately if any configuration changes are needed to maintain the security of their lists and if any end user is banned or suspected of illegal use of the service.
  • Mailing list administrators are solely responsible for adding new users to their list. All known means of self subscription by end users have been blocked.
  • Mailing list administrators are expected to be the first point of contact for their members in case of technical problems.
  • Mailing list administrators are requested to get agreement from the owner before passing his personal contact details to end users.

5. FORUM Security Policies

Forum Owners, Moderators and Administrators

  • Forum administrators shall have personal web logins to ensure an audit trail for changes to the YaBB configuration and user base
  • Users should not keep the username, server address and password recorded in the same way in the same place.
  • All access to the YaBB configuration is logged
  • An archive is kept of all messages sent through YABB
  • All E-Mail addresses registered in YABB are the private property of the end users and must not be published outside the list membership.
  • Protection of E-Mail addresses or lists downloaded from the server is the responsibility of the list administrator. Use of password protected files or storage in locked furniture is advised.
  • YaBB Administrators are prohibited from accessing, or attempting to access, other users or forums data and messages
  • YaBB administrators are responsible for placing abusive users on moderation, preventing the posting of inappropriate, illegal, or abusive messages through their forums
  • YaBB administrators must notify the system owner immediately if any configuration changes are needed to maintain the security of their forum and if any end user is banned or suspected of illegal use of the service.
  • YaBB forum administrators are solely responsible for adding new users to their forum. All known means of self subscription by end users have been blocked.
  • YaBB forum administrators are expected to be the first point of contact for their members in case of technical problems.
  • YaBB forum administrators are requested to get agreement from the owner before passing his personal contact details to end users.

Forum End Users:

  • End users are solely responsible for what they post
  • End users agree to indemnify the site and forum owner against any legal costs arising for what they post
  • End users are responsible for the safe keeping of any usernames and passwords and must not share them
  • End users should note that any unlawful, abusive or libellous material will be removed and may be reported to the proper authorities by either the forum owner/moderator/administrator or the site owner without warning

6. File / Web hosting Security Policies

  • Access to (S)FTP accounts will be granted for specific purposes
  • Access to (S)FTP accounts is limited to the purpose for which they were set up as notified in the welcome message.
  • Users will be notified of the password and the purposes for which their account can be used at the same time
  • Users should not keep the username, server address and password recorded in the same way in the same place.
  • All logins will be recorded along with the time and remote IP address
  • All (S)FTP file transfers will be recorded
  • (S)FTP users will be prohibited from interactive (shell) login
  • (S)FTP users may upload only content relevant to the purpose for which their account is issued, which is lawful to publish in the UK, and which will not create issues of privacy or consent if made available to the internet as a whole.
  • (S)FTP users are prohibited from accessing, or attempting to access, other users' data.
  • (S)FTP Users are responsible for what they upload.

The owner reserves the right to suspend or remove any UNIX shell or (S)FTP account without notice if any security risk or legal risk is suspected, and to delete any content presenting such risk.

7. General End User Security Policies for all access

End users must not:

  • Share any usernames, passwords or password-protected URLs for moffatig.com
  • Upload or send anything to or through moffatig.com or moffatig.plus.com services that is:
    • Unlawful to publish in the UK
    • Abusive or threatening in any way
    • An actual or potential copyright violation in UK law
    • Another person's personal data without their consent
    • Likely to be considered as advertising or "SPAM" by other users
  • Attempt to bypass the security policies of the moffatig.com system
  • Forward emails received through a list @ moffatig.com to people who are not list members
  • Distribute files downloaded from a non-public website or file hosting service on moffatig.com to anyone who is not already authorised to download those files themselves

Any user in violation of this policy can expect their account to be suspended or deleted without warning.

End users are advised not to post personal data beyond that necessary for the correct operation of the system to or through moffatig.com or moffatig.plus.com servers. Currently this is limited to e-mail addresses for most users.

End users are advised to consider before posting or uploading anything that it will be available to everyone in the list or file hosting community to which they have subscribed, and may be distributed by email or download to personal computers operated by any or all of them. Do not expect that, once posted, it can ever be completely deleted or traced. Any personal financial data found on the system will be removed immediately by the system owner. I don't store my card numbers here and I certainly would not recommend that anyone else does so !

8. Privacy Policies

  • Anything posted to a forum hosted by moffatig.com or moffatig.plus.com is visible to all other members of that forum.
  • Anything posted to a wiki or static web site hosted by moffatig.com or moffatig.plus.com is visible to the internet and may be cached by content distribution networks, search engines and public or private internet archiving services. As such once posted there is nothing the site owner can do to un-publish it from these 3rd party systems even if it is deleted from moffatig.com or moffatig.plus.com
  • All access to authenticated web services, FTP, and shell accounts is logged including the username and remote IP address
  • All FTP file transfers are logged including the file, username and remote IP address
  • All web page accesses and errors are logged including remote IP address
  • All e-mail transactions are logged and all list messages are archived
  • The UNIX, FTP, MAIL and WEB logs can be read by the owner and unix shell users
  • The Mailing list archives and membership list can be read by the server owner and by the administrators of that list only.
  • Uploaded files can be read by the server owner and full UNIX users in addition to the FTP account owner who uploaded them.
  • Event notifications (such as trusted IP registration and logins) are notified by the system to a private e-mail address of the owner and may be used as evidence in case of any civil or criminal proceedings
  • System log files are copied to a remote file storage service and may be used as evidence in case of any civil or criminal proceedings
  • Logs will in general be retained as long as disk space permits with a minimum of at least 6 months.
  • Data subjects may request access to their data on the system from the owner by sending a stamped, self addressed envelope or an e-mail to : There will be no charge for the first request in each calendar year. Subsequent requests will be charged at the maximum rate permitted by UK law.
  • The owner has access, as unix 'root' or super-user to all data stored on the moffatig.com servers.
  • The owner undertakes to maintain confidentiality of all data on the system to the greatest extent possible under English Law. This means that any reasonable request for access to data or logs by a competent authority will be accepted once they have proved that they are legally entitled to it. Otherwise data is only available to the data subject or those to whom the data subject has provided the data for the uses it was provided for (in the context of this system, this is to permit the management and operation of e-mail lists and file hosting only).
  • The owner undertakes not to use data from the web and file services in ways that he is not authorised to do as an end user of these services.

Version 1.3 Last Updated 10th December 2017 Copyright © moffatig.com

Page last modified on December 10, 2017, at 09:11 PM
Copyright © 2017 to date Iain Moffat G0OZS and Contributors.