DU Security

I typically work on Health Care related projects. In these projects, security is a primary factor. Clients will be storing patient data which needs to be secured. Since DU uses a connection to Boonex for modules, how "Secure" would a DU site be considered? What kind of back doors does Boonex have into a site created with DU? Would a DU site be able to call itself HIPAA compliant?

All servers and all software talk to other servers or have the ability to.

Why you singling out dolphin? You have other software on your server that connects to the internet do you not?

Dolphin U communicates to boonex using the oAuth protocol. Hence the reason you had to install the oauth module you did not need before as D7 used older methods such as ajax to talk to the boonex site. If anything, it got more secure.

my server is specifically setup to be HIPAA compliant - so any other software on the server has to follow specific guidelines - to maintain the HIPAA compliancy. I am singling out Dolphin U because that is the only thing I have installed/added to the server, and the only thing I am not sure about. And since i have to log into my boonex account from within the DU site, I am asking the question.

I want more information on this.  If Boonex is moving to an Apple model, then I won't be doing anything with Dolphin U.

 RE

 You do have to be logged into Boonex and your studio to download modules, there is no manual process to add them now.

It's all done with oAuth, even the uninstall process is totally different.

 RE

 GG, have you done a test install yet?

[edit] Attached is a short video in the studio, and installing a module.

Also shows my current market purchases, of course non are for DU but they will be there to DL when available.

https://www.youtube.com/watch?v=D-KcjJfxMio

I installed Dolphin U modules manually without problems. They are hidden, but you can find them easily.

Yes. Modules can be installed manually.

I would have issue for something along the lines of Apple and similar where they constantly have their hands in your devices.  Apple is constantly connected to their devices, they even pushed out an update to break jail broken phones and it took a ruling from the Supreme Court for them to stop.  Amazon deleted books from their tablets without the owners knowing of it.  I won't operate under such conditions.  I won't own an iPhone unless I can break its constant connection to Apple; and the same for Android devices, the same for any tablet device.  I don't let Microsoft in my Windows box.

No, I haven't install it yet.  I do plan to so I can start learning.

From the video, it appears that there is just a web interface inside of Dolphin U that you log into your Boonex account just the same as if I opened up a separate browser window and logged in.  The rest of it I am assuming is just downloading and storing in the module directory and that I can just download and ftp into my module directory like I would now and is what I would do if I operate a Dolphin U site.  I am guessing that I don't need to set up the admin download part of Dolphin, I don't want that feature active in my Dolphin admin.

So - back to my original question - would this new DU be able to be considered HIPAA compliant? Also, if I have to connect to Boonex to install/uninstall modules, is this connection consistent? Am I able to disconnect from Boonex and still work on the site, or do I always have to be connected to Boonex? Can I work on my site with no internet connection (just home network for testing)?

 That will have to come from boonex themselves. There is no way any of us will be able to answer that.

The Privacy Rule protects all "individually identifiable health information". Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

One could argue that, although the information can be shielded using privacy settings, the data is not encrypted in the database and therefore not well enough protected.

 I do know that you can upload modules directly using FTP as you can with D7 now and they will work. I use this method with the Facebook connect module i am testing on my DU setup.

However i am not sure how the market will be setup. As long as we will still be able to download files manually from the market and not just through the DU studio then i am assuming you will not need to setup the oauth info.

However, i am not sure about updates to dolphin. I am not sure if they plan on distributing updates as downloadable packages or not. Updates are currently done within studio as well.

Really all that does is queue up a cron job that downloads from the market. The rest is done within DU. The only time it connects to boonex is to get listings or modules in the market and to check for updates. It's a one way connection. I don't really get the paranoid attitude.

 I do have encrypted databases - that is one of the many things I had to implement personally. All other security measures are handled by the Server Hosting Company. I also have SSL.

@Deano - I understand and was hoping Alex or someone would respond.

BoonEx doesn't connect to user's site at all, but sites are connecting to BoonEx to:

- install modules from the market
- get modules and system updates
- check for latest version

All above actions are performed using HTTPS (except system version check and system update).

Dolphin can still be used without internet connection and modules can be installed manually, but they will not be updated automatically and system files will not be automatically updated as well.

 So if you have to be logged into Boonex to download modules etc..... What happens if boonex either (a) go broke or (b) sell out to someone that then charges to be a member at boonex? This whole thing appears to be reliant on the stabillity of boonex.

AlexT already answered this:

"Dolphin can still be used without internet connection and modules can be installed manually, but they will not be updated automatically and system files will not be automatically updated as well."

This is good to know in case someone modifies the files for custom work; that way Boonex won't overwrite these files.

@AlexT - thanks for your response. Now I feel a bit better.

 i don't use ssl in my website now..

do i need to add ssl to my website for auto update and install module from market to work..

my SSL was in reference to a comment about HIPAA compliancy and security. You do not need an SSL for a dolphin site (and honestly SSLs are a hassle on a dolphin site). But for my projects, they are mandatory.

I have a request for this; can you PM any information you can share that will make my job easier :-).

In simple words DU will be like Ubuntu or any other OS ..which can update your website and fix the bugs with your permission, like by click to check updates etc. This way there will be less time spent on single ticket issue handing regarding same bug for multiple websites and more time for development. I have a question if there is a bug in website, can the web master report the bugs like they do in OS or do they have to issue a ticket ?

I have never let any OS do auto updates; a good way to get a crashed system.  Recently MicroCrap, er, Microsoft issued an update that did a BSOD on Windows 8 or caused an endless boot loop.

 i said with your permission . From multiple updates ..you can uncheck which you don't want to update.

If any file is modified, then the system (or module) will not be automatically updated. However there is an option to force overwrite modified files, if not so many files are modified. If a lot of files are modified - then upgrade must be done manually.

It is not required to have SSL certificate installed in Dolphin, it is already installed on boonex.com side.

Tickets (now "Issues") still required for bugfixes, issue tracking system for Dolphin U is powered by github.com

how many person working on DU ...i mean the process looks kindda slow...any plan for next alpa release..?

Is there any way to add some form of brute force login protection not only to du but to d7x?

I mean basically someone can write a script to login to dolphin as the admin or other user, and brute force a password over and over right?

Is there anyway to ban this kind of activity for say 5 mins first time, 1 hour next, 1 day, indefinitely, etc.

Other scripts do this, but I haven't seen jack for Dolphin, which surprises me.

It would be a nice addition to Dolphin.

 and how to change default administration url..

 "brute force" means automated password guessing, right?

As long as you come up with something that's over 12 symbols long, not easy to remember and is a mix if character types it becomes really costly to "brute force". Example: M4a9NP9d=CC8Ba^aFz;PiK* 

So that takes care of the software not ever guessing your password. As far as I understand unless the script is not executed from your own machine such activity would be a de-facto DDOS then. It may not even be helpful to time-limit login attempts, since this kind of checking would only further bog down your server. When it's a DDOS issue - perhaps talk to the hosting guys.

I just get hammered with admin logins that fail because they are not me. It would be nice to do away with that.

Another thing that would be nice is the smtp module password. It would be nice to encrypt the smtp password in the database rather than storing it as regular text if that is possible.

I don't expect my database to be stolen, but you never know. If someone get's their hands on it then they have all the smpt details they need all in plain text.

DDOS and BruteForce are not the same thing.

With BruteForce you can obtain the password of a user sending a large number of possible passwords every second. Users generally do not use long passwords with symbols like "a2JX-&sf83i4Ysm", but password like "iamthebest" that are easier to identify with this kind of attacks. Inserting a bruteforce attack protection does not block the server, but it prevents any attacker to insert more than X incorrect passwords in a time Y. For example, 5 incorrect passwords in 5 minutes. If you exceed the number of attempts, the system locks the user access to X minutes. And after this time, if the incorrect attempts continues, it completely block the account.

I think it is a very good idea to implement this system to DU and D7.X, or implement 2 step verification