In Memoriam: Don Smith
Don Smith was not only the original author of the below pre-login text describing the goals of the Ops-Trust Community, but more importantly a very valued and trusted member of various Trust Groups. He was one of the original SANS Internet Storm Center handlers, who has for well over 20 years heavily contributed with his energy for mentoring and enhancing Internet culture to make the Internet a safer place.
Don, it was a privilege having you, requiescat in pace, you are already sorely missed.
(coffee != sleep) & (!coffee == sleep)
Operations Security Trust (or "Ops-T") forum is a highly vetted community of security
professionals focused on the operational robustness, integrity, and security
of the Internet. The community promotes responsible action against malicious
behavior beyond just observation, analysis and research. Ops-T carefully
expands membership pulling talent from many other security forums looking
for strong vetting with in three areas:
* sphere of trust;
* sphere of action;
* the ability to maintain a "need to know" confidentiality.
Operations Security Trust (or "Ops-T") members are in a position to directly affect
Internet security operations in some meaningful way. The community's members
span the breadth of the industry including service providers, equipment
vendors, financial institutions, mail admins, DNS admins, DNS registrars,
content hosting providers, law enforcement organizations/agencies, CSIRT
Teams, and third party organizations that provide security-related services
for public benefit (e.g. monitoring or filtering service providers). The
breadth of membership, along with an action plus trust vetting approach
creates a community which would be in a position to apply focused attention on
the malfeasant behaviors which threaten the Internet.
* will be privy to lists of infected IP addresses, compromised
accounts, bot c&c lists and other data that should be acted upon.
* are expected to take appropriate action within their domain of control.
* are expected to contribute data as appropriate and in a fashion that
does not violate any laws or corporate policies.
Ops-T does not accept applications for membership. New candidates are
nominated by their peers who are actively working with them on improving the
operational robustness, integrity, and security of the Internet.
Privacy Notice / GDPR compliance / Disclaimer
Ops-Trust requires a functional email address and full name of the participant for the point of communication, which is the primary purpose of the platform. Other profile details can optionally be provided and modified in the user profile.
Data extraction: One can request a copy of the data in the database from your trust group administrator. The sysadmin team will provide a JSON dump of the data, effectively: information as seen on the profile, email addresses, PGP keys, trustgroup memberships, mailinglist memberships, trusts. This data is fully visible by the user in the webinterface.
Data Deletion (the "right to be forgotten"): One can request full deletion of by contacting your trust group administrator, this will of course also deny access and participation in the platform.
Please do PGP-sign all these requests, without we cannot check the validity of the request.
We apply these privacy rules to every user, irregardless of origin country as privacy and data secrecy is important to us.
* Ops-Trust does not store any emails from the mailinglists, as such, we do not have that data and cannot provide any of it.
* Do PGP encrypt all sensitive communications
* Do PGP sign all requests where origin authentication is required.
* Our webservers (nginx) and email servers (postfix) have default logging and thus log information details about requests based access for a week at a time after which the logs have been rotated away.
* Regarding primarily about deletion: Ops-Trust has a live system where data will be directly removed, but the data stored in secure backups take the expiration time to rotate out.
* Cookies (session based) are used by the website to be able to track logged in state to the website.
* Ops-Trust does not sell/distribute data in anyway, except for what is shown in the webinterface to other signed in users.
* There is no advertising on Ops-Trust.
* Ops-Trust is run by a non-profit; in the case of a breach we will be open about it to our membership.
* The Ops-Trust codebase (Trident, https://trident.li) is open source, please do audit the source code and do provide security feedback to firstname.lastname@example.org