Responding to the current moment

As the nation responds to the deaths of numerous Black folks at the hands of police, countless organizations have been expressing their support for the protests. There’s nothing we can say that hasn’t been said better already. We want to focus on what we specifically can do in this moment to be a part of our movement. So effective immediately:

  • Work related to police accountability and/or protests will get a free upgrade to our best service-level agreement. It will be top priority, no rush fees, and we will start work within one hour. Contact us to discuss need-based cost reduction.
  • Megaphone Tech staff arrested at protests will receive their full pay while they are in jail, plus the following 24 hours to recuperate.
  • We have already given (and will continue to give) our time and money as individuals; if an opportunity to contribute funds as an organizational level arises we will take it.
  • We support the diversity of tactics that folks choose to use in their pursuit of justice. All of this applies regardless of the methods of protest folks engage in.

We ask our other clients for understanding and patience as our work capacity shifts to accommodate our jailed employees and our police accountability work. Justice is often inconvenient.

Association for Community Design membership management database launches!

Association for Community Design logo April marked the launch of the new membership management software and website for the Association for Community Design.  ACD coordinates architects and other design professionals working to use their tools to better serve the communities in which they live and work.

ACD had been using Wild Apricot for membership management, but struggled with rising monthly costs and limits on the number of contacts in their database.

Using Backdrop CMS and CiviCRM, ACD now has a membership management tool that does everything their old one did and more, with no limitations on their number of users or contacts.

To provide ongoing support for ACD, Megaphone Tech ported the Drupal Nagios module to Backdrop CMS.  This allows us to monitor the site for issues using established monitoring tools.

Monitoring against the Charles Bourasseau security exploit with Icinga2

Have you received this email?

Hello,

My name is Charles Bourasseau, and I'm an independent IT security expert. I
 noticed a security issue on your website http://example.org.

I was able to access a lot of files that contain sensitive data.
 I attached a screenshot of the files I found to this email.

I am sorry to be the bearer of bad news, and I would be happy to share more
 information immediately, so that your team may fix this, can you please put
 me in touch with the right person to speak to about this?

For complete transparency, I'd like to share with you that my work is based
 on bug bounty programs and financial rewards in exchange for security
 advice.

This email is personal and in no way related to any of my employers.

I'm on standby to help you resolve this as quick as possible, I look
 forward to hearing from you.

Best Regards,
 Charles Bourasseau

It’s more than a bit shady – and my colleague Mathieu Lutfy did a great write-up of the issue on his blog.

If you’re using Icinga2, here’s an easy way to see if you have a git repository in your website’s root exposed.  Add this service check:

# If this returns HTTP 200, you have a problem. You want HTTP 4xx.
apply Service "Exposed Git: " for (http_vhost => config in host.vars.http_vhosts) {
 import "generic-service"

check_command = "http"
 vars.http_vhost = config.http_vhost
 vars.http_ssl = config.http_ssl
 vars.http_uri = "/.git/config"
 vars.http_expect = "HTTP/1.1 4"
}

This presumes your hosts define multiple vhosts per host in a format like:

 vars.http_vhosts["www.megaphonetech.com"] = { 
 http_uri = "/" 
 http_ssl = true 
 http_vhost = "www.megaphonetech.com" 
 http_expect = "HTTP/1.1 200 OK" 
 cms = "wordpress" 
 }