Hello, mailing list!
(Sorry for double-mailing if you're on the HackLab mailing list.)
Some friends in Toronto are working on an international project, and
looking for some help with security audit. I thought y'all might know or be
interested persons. Feel free to FW to your heart's content!
Here are the details in my words:
*Are you frustrated with recent actions by the Trump administation and
looking to be part of an effort to push back?* Well, then this might be an
opportunity to use your skills as a security consultant.
The EDGI project <https://envirodatagov.org/> (aka "guerilla archiving") is
an international group of academics (archivists, librarians, information
studies, etc.) and non-profits, working to preserve environmental data
during the Trump transition. More generally, they're building tools and
process for preserving government data. They've gotten quite a bit of positive
press
<https://theintercept.com/2017/01/27/a-coalition-of-scientists-keeps-watch-on-the-u-s-governments-climate-data/>
.
They're hoping to open-source their main pipeline tool as soon as possible,
but would feel much better about this after a light security consultation.
The hope was for a high-level holistic audit. Light code-review of their
javascript app is a bonus: Meteor app backed by MongoDB on Heroku. (They
built with the skills and experience they had access to.)
Importantly, they currently have no funds. Given the public support they've
seen, they are looking into ways to fund a longer term review of their
security.
Any amount of time, full or in part of above goals, is appreciated.
*Key questions*
- Is Meteor appropriate given our concerns and needs?
- What are best practices for securing our stack? (Meteor app, MongoDB,
Heroku)
- Is our actual implementation secure?
