dispatchrabbi / half-day-security-guide Goto Github PK
View Code? Open in Web Editor NEWGot half a day and nothing to do? Level up your electronic privacy!
License: MIT License
Got half a day and nothing to do? Level up your electronic privacy!
License: MIT License
The scrolly highlight should stay on the screen; this will also help the ToC keep up with main-panel scrolling.
Maybe a sunrise?
Inspired by this tweet, we should:
It's null because scrollPct
is 1, so it's looking for the windowHeight
th pixel, and the last pixel is windowHeight - 1
.
Uncaught TypeError: targetEl is null
findCurrentSection http://192.168.42.78:8888/js/main.js:16
onscroll http://192.168.42.78:8888/js/main.js:47
main http://192.168.42.78:8888/js/main.js:46
<anonymous> http://192.168.42.78:8888/js/main.js:54
On Mac!Safari, using Voiceover to follow toc links bounces to the proper heading in main. This does not happen in Firefox; following the link there scolls the page as normal, but the user has to navigate manually to headings.
Once #9 is done, let's go back and make sure it looks nice on all form factors, especially mobile phones.
Let's use issues for our todo's! Right now it's in the README and we should use these instead.
It's good now! Let's see if we can make it better.
From Sankar Gorthi's email to the list:
Links from your website could be configured to open in a new tab so as to
make your page the 'base of operations' from which users can visit multiple
sites but not lose track of where they came from.https://www.freecodecamp.org/news/how-to-use-html-to-open-link-in-new-tab/
covers the usage oftarget="_blank"
andrel="noopener noreferrer"
as
attributes to your anchors.
Split from #9, as this was assumed to be implicit
Tom Merritt's Know a Little More podcast has an episode on MFA from early June. We should link it so people who like audio can listen.
https://dailytechnewsshow.com/2021/06/17/about-multi-factor-authentication/
Split from #9
Write the code that consumes the markdown and the layout and generates the site in dist/.
The text needs to be added to the repo, and in a structure that allows pretty linking. Probably:
src/
|- 1-introduction/
|- summary.md
|- 1-what-this-guide-is.md
|- 2-what-this-guide-is-not.md
|- 2-passwords/
|- summary.md
...
Feedback from my dad:
Internet of Things (IoT)
- Three Dumb Routers: a simple block diagram might be helpful here Simple diagrams might be helpful in several other places: SSO, 2FA, DNS, VPN.
I think a diagram for 3DR would really be helpful as well. I don't know so much about SSO or the others, but he seemed to feel strongly about them. Still, 3DR does need it.
After it's actually useful; there's no point in getting people excited if they can't do anything.
Right now the generation code is all up in this project's business. Here are ways we could make that better:
This is gold-plating though so I don't think it needs to be done anytime soon.
Summary of the feedback up top, the whole email is included below.
IoT:
Routers:
Both of these work for me.
VPN:
I think our guidance is good enough here and that we shouldn't switch recommendations.
Browsers:
I'm okay mentioning it - a lot of people at 1P use it, for example - but I have heard some hinky stuff about Brave, especially with BAT and how that gets distributed. I still think Firefox should be our rec.
Webcams:
Personally I think that this is overblown if you have a webcam that has an LED indicator, but it's probably not bad to mention. Personally I would put it in a Paranoia Alert section.
EULAs:
His points are valid. I don't know if there should be a big deal about it, but it might be worth talking about going over TOS/EULAs/Privacy Policies near our "consolidate your services" guidance.
Bernie's feedback in whole:
Harold,
I think this is well written and well thought out. I agree with all the recommendations I saw, especially the ones about smart (IoT) devices. I'm frankly terrified by the potential abuse of them. Dana lectures about this; IoT devices are a stalker's best friend. Most people don't secure them and even if they do, IoT security is pretty lacking (to be generous). I got a really nice fancy IoT thermostat (essentially free from PSE &G), but I'm kind of reluctant to install it.
I'd add a few things to this paper:
In the section on routers: Many/most people get their routers from their ISP if they have a broadband connection (e.g. you and I get ours from Comcast). They come pre-configured to work out of the box and usually have a pre-assigned SSID and password (which you need to get started).
You should change these settings to your own SSID (often they have a startup that facilitates this for you) and password. You should also change the administrator login/password and the admin password should be different from your wifi password.
Some routers allow multiple SSID's and some come pre-configured with 'public' ones. Comcast does this. Your router will also have an Xfinity wifi SSID unless you turn it off. This is how Comcast (or Verizon or RCN or Cablevision or whoever) can make the claim they have a gazillion 'public' access points. They do - and your house is one of them! Usually these require an ISP account (such as with Comcast), but often you can get into another ISP's network (e.g. Spectrum) using your Comcast credentials (they often turn off the credentials requirement during disasters). They share somewhat. Which is nice for us users, but a foreign entity is now inside your private network device. When I'm out and about I can often access Xfinity wifi in stores on my phone. No need to manually log in; iphone does it all and I've got free wifi access without the store's knowledge.
Not as big a deal where we live, but in high density populations (e.g. high rise apartment building) bigger exposure.
On VPN's: everything they said is good, but I think if you value privacy and anonymity, they're worthwhile. HTTPS encrypts traffic on the wire, but doesn't hide endpoint info; a VPN makes you look like you're in LA or London or Paris (which can be useful for some things, amusing for others. Like getting Amazon prices in Euros). I use one on my main computer almost continually.
On Browsers: They're correct about Chrome, but don't mention Edge, which comes standard with every Win 10 PC. It's essentially the Microsoft version of Chrome. Really. Full of tracking, too.
If you want higher security and no #$%^ ads or tracking, the browser of choice now is Brave. I often use Brave with my VPN turned on and - voila! - no ads, no tracking. If I go to a commercial website, I don't suddenly see ads from them in my email sidebar. Bonus: it's faster.
On Webcams: This used to be commonly publicized, but in the Zoom/Covid era seems not. Get a privacy cover for your webcam and cover it when you're not using it. Late model laptops often have one built in, most external webcams have some sort of cover. You can buy stick on sliding ones for older devices for a few $ online. Worth it.
On EULA's; They don't mention this, and it might freak people out, but the terms of service for most everything these days, the End User License Agreement, pretty much gives every vendor the right to look at all the bits that go through their apps in any way (sometimes more). So Google can read all Gmail messages, for instance. And they really do. It's bots, but they're still doing it. Virtually all free email systems do this as well as many other apps. It's all fodder for big data analysis for advertising. Or propaganda. In some cases, you can opt out of some areas (like sharing your data with their partners), but they don't make it easy and often an update will reset this. There really isn't much more you can do, especially given lax US law in this area (EU is a bit better. Asia mostly worse.)
If you want the convenience and utility of these apps (of course you do!) you're pretty much stuck. But better to be aware even if you tolerate it.
Enjoyed reading this. Always appreciate having my opinions and prejudices independently confirmed. :-)
Bernie
Right now the only file that ends up in dist/ is the generated index.html. We need styles and scripts as well.
The best option here is probably to create a static/ directory that just gets copied into dist/. That way it can host whatever it needs to: styles, scripts, images, etc., and with whatever folder structure we want to use.
The current site is... shall we say, drab. Here's what I'd like to see:
Split from #9
Support dark mode in css
Pull out Paranoia Alert! and One Step Further sections into identifiable boxes.
Consider:
• Sidebar divs?
• Should they appear in the TOC?
• Maybe as little baubles next to sections that contain them?
We have that nice checklist.md, it'd be a shame if something didn't happen to it.
My dad took a look and offered feedback. This is the easy/general stuff - there are a few other things that I'll put in other issues. I'm also going to use this issue to clean up a few parts of the text I found on a read-through.
Introduction
Keep different parts of your life separate
Pick services that are focused on one thing
Two-Factor Authentication
Internet of Things (IoT)
Check the URL before Entering Sensitive Information
Add a footnotes link to the ToC so it appears for highlighting and clicking purposes
(There's already a div that has class="footnotes"
, it just needs that id and an entry in the ToC.)
We have footnotes in the doc. We should figure out an accessible way to add those in.
I'm moving to 1Password, we should not so highly recommend them.
Adding footnotes requires that all subsequent footnotes be renumbered; we'd rather have that be automatic and footnotes can get descriptive names.
Flip the switch in settings that serves this repo via Github Pages. Read the docs first, then make it happen.
For this, get some kind of working shell up and running:
Doesn't have to be perfect, just good enough. No need to worry about theming or fonts right now, just lay the groundwork.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.