dispatchrabbi / half-day-security-guide Goto Github PK

The scrolly highlight should stay on the screen; this will also help the ToC keep up with main-panel scrolling.

Maybe a sunrise?

Inspired by this tweet, we should:

1. consider using the term "virtual ecology"
2. recommend creating separate ecologies for projects, legal issues, and things you might want to sell rights to

(screenshot for posterity)

It's null because scrollPct is 1, so it's looking for the windowHeightth pixel, and the last pixel is windowHeight - 1.

Uncaught TypeError: targetEl is null
    findCurrentSection http://192.168.42.78:8888/js/main.js:16
    onscroll http://192.168.42.78:8888/js/main.js:47
    main http://192.168.42.78:8888/js/main.js:46
    <anonymous> http://192.168.42.78:8888/js/main.js:54

On Mac!Safari, using Voiceover to follow toc links bounces to the proper heading in main. This does not happen in Firefox; following the link there scolls the page as normal, but the user has to navigate manually to headings.

Once #9 is done, let's go back and make sure it looks nice on all form factors, especially mobile phones.

Let's use issues for our todo's! Right now it's in the README and we should use these instead.

It's good now! Let's see if we can make it better.

From Sankar Gorthi's email to the list:

Links from your website could be configured to open in a new tab so as to
make your page the 'base of operations' from which users can visit multiple
sites but not lose track of where they came from.

https://www.freecodecamp.org/news/how-to-use-html-to-open-link-in-new-tab/
covers the usage of target="_blank" and rel="noopener noreferrer" as
attributes to your anchors.

Split from #9, as this was assumed to be implicit

Tom Merritt's Know a Little More podcast has an episode on MFA from early June. We should link it so people who like audio can listen.

https://dailytechnewsshow.com/2021/06/17/about-multi-factor-authentication/

Split from #9

Write the code that consumes the markdown and the layout and generates the site in dist/.

The text needs to be added to the repo, and in a structure that allows pretty linking. Probably:

src/
|- 1-introduction/
    |- summary.md
    |- 1-what-this-guide-is.md
    |- 2-what-this-guide-is-not.md
|- 2-passwords/
    |- summary.md
...

Feedback from my dad:

Internet of Things (IoT)

• Three Dumb Routers: a simple block diagram might be helpful here Simple diagrams might be helpful in several other places: SSO, 2FA, DNS, VPN.

I think a diagram for 3DR would really be helpful as well. I don't know so much about SSO or the others, but he seemed to feel strongly about them. Still, 3DR does need it.

After it's actually useful; there's no point in getting people excited if they can't do anything.

https://www.grc.com/sqrl/sqrl.htm

Right now the generation code is all up in this project's business. Here are ways we could make that better:

• Make the template and other file paths configurable
• ...?

This is gold-plating though so I don't think it needs to be done anytime soon.

Summary of the feedback up top, the whole email is included below.

IoT:

• Agrees with our recommendations, thinks we appropriately represent how terrifying they are.

Routers:

• Most people get their routers from their ISP and so should change their SSID along with their password and security key.
• Some routers from ISPs put a public SSID out for people who are on that ISP to plug into. Turn that off.

Both of these work for me.

VPN:

• He thinks that VPNs are worth it for anonymity and uses one continually. "HTTPS encrypts traffic on the wire, but doesn't hide endpoint info."

I think our guidance is good enough here and that we shouldn't switch recommendations.

Browsers:

• He says we don't mention Edge (but we do). He recommends Brave for tracking protection.

I'm okay mentioning it - a lot of people at 1P use it, for example - but I have heard some hinky stuff about Brave, especially with BAT and how that gets distributed. I still think Firefox should be our rec.

Webcams:

• Getting a privacy cover for a webcam.

Personally I think that this is overblown if you have a webcam that has an LED indicator, but it's probably not bad to mention. Personally I would put it in a Paranoia Alert section.

EULAs:

• They're scary and contain a lot of stuff you might not expect about how your data gets used! You should probably be aware of that.

His points are valid. I don't know if there should be a big deal about it, but it might be worth talking about going over TOS/EULAs/Privacy Policies near our "consolidate your services" guidance.

Bernie's feedback in whole:

Harold,

I think this is well written and well thought out. I agree with all the recommendations I saw, especially the ones about smart (IoT) devices. I'm frankly terrified by the potential abuse of them. Dana lectures about this; IoT devices are a stalker's best friend. Most people don't secure them and even if they do, IoT security is pretty lacking (to be generous). I got a really nice fancy IoT thermostat (essentially free from PSE &G), but I'm kind of reluctant to install it.

I'd add a few things to this paper:

In the section on routers: Many/most people get their routers from their ISP if they have a broadband connection (e.g. you and I get ours from Comcast). They come pre-configured to work out of the box and usually have a pre-assigned SSID and password (which you need to get started).

You should change these settings to your own SSID (often they have a startup that facilitates this for you) and password. You should also change the administrator login/password and the admin password should be different from your wifi password.

Some routers allow multiple SSID's and some come pre-configured with 'public' ones. Comcast does this. Your router will also have an Xfinity wifi SSID unless you turn it off. This is how Comcast (or Verizon or RCN or Cablevision or whoever) can make the claim they have a gazillion 'public' access points. They do - and your house is one of them! Usually these require an ISP account (such as with Comcast), but often you can get into another ISP's network (e.g. Spectrum) using your Comcast credentials (they often turn off the credentials requirement during disasters). They share somewhat. Which is nice for us users, but a foreign entity is now inside your private network device. When I'm out and about I can often access Xfinity wifi in stores on my phone. No need to manually log in; iphone does it all and I've got free wifi access without the store's knowledge.

Not as big a deal where we live, but in high density populations (e.g. high rise apartment building) bigger exposure.

On VPN's: everything they said is good, but I think if you value privacy and anonymity, they're worthwhile. HTTPS encrypts traffic on the wire, but doesn't hide endpoint info; a VPN makes you look like you're in LA or London or Paris (which can be useful for some things, amusing for others. Like getting Amazon prices in Euros). I use one on my main computer almost continually.

On Browsers: They're correct about Chrome, but don't mention Edge, which comes standard with every Win 10 PC. It's essentially the Microsoft version of Chrome. Really. Full of tracking, too.

If you want higher security and no #$%^ ads or tracking, the browser of choice now is Brave. I often use Brave with my VPN turned on and - voila! - no ads, no tracking. If I go to a commercial website, I don't suddenly see ads from them in my email sidebar. Bonus: it's faster.

On Webcams: This used to be commonly publicized, but in the Zoom/Covid era seems not. Get a privacy cover for your webcam and cover it when you're not using it. Late model laptops often have one built in, most external webcams have some sort of cover. You can buy stick on sliding ones for older devices for a few $ online. Worth it.

On EULA's; They don't mention this, and it might freak people out, but the terms of service for most everything these days, the End User License Agreement, pretty much gives every vendor the right to look at all the bits that go through their apps in any way (sometimes more). So Google can read all Gmail messages, for instance. And they really do. It's bots, but they're still doing it. Virtually all free email systems do this as well as many other apps. It's all fodder for big data analysis for advertising. Or propaganda. In some cases, you can opt out of some areas (like sharing your data with their partners), but they don't make it easy and often an update will reset this. There really isn't much more you can do, especially given lax US law in this area (EU is a bit better. Asia mostly worse.)

If you want the convenience and utility of these apps (of course you do!) you're pretty much stuck. But better to be aware even if you tolerate it.

Enjoyed reading this. Always appreciate having my opinions and prejudices independently confirmed. :-)

Bernie

Right now the only file that ends up in dist/ is the generated index.html. We need styles and scripts as well.

The best option here is probably to create a static/ directory that just gets copied into dist/. That way it can host whatever it needs to: styles, scripts, images, etc., and with whatever folder structure we want to use.

The current site is... shall we say, drab. Here's what I'd like to see:

• Header up top with the title and subtitle
• The main content in the middle of the page, nicely formatted
• The table of contents on the left, with all headings visible to the user
• As the user scrolls the page, the current section is highlighted in the TOC (split to #16)
• Footnotes don't suck (split to #15)
• Move the license and "last updated" date to the footer (or its own section at the very end?)
• The page looks nice - probably going to want to find a nice typography CSS and a font or two. Maybe consult Amy on this? (split to #17)

Blocked by #3. Blocked by #8.

Split from #9

Support dark mode in css

Pull out Paranoia Alert! and One Step Further sections into identifiable boxes.

Consider:
• Sidebar divs?
• Should they appear in the TOC?
• Maybe as little baubles next to sections that contain them?

We have that nice checklist.md, it'd be a shame if something didn't happen to it.

My dad took a look and offered feedback. This is the easy/general stuff - there are a few other things that I'll put in other issues. I'm also going to use this issue to clean up a few parts of the text I found on a read-through.

My dad's feedback

Introduction

• “straightforward” used twice.

Keep different parts of your life separate

• Formatting: hanging period after first sentence.
• sp. “acknowledgment” not “acknowledgement”

Pick services that are focused on one thing

• “…there’s less of a chance that the service will go away without warning.” Citation needed!!
  • Note from Eli: I don't know if there's a citation here that we can use, so maybe we change this so that it's clear that it's our opinion.)

Two-Factor Authentication

• “…we recommend using an authenticator app over text messages…” Not enough info here explaining what an authenticator app does as opposed to the text message approach – how does it look to the user? How does one set it up with a site that offers text TFA?, etc.

Internet of Things (IoT)

• Recommend adding home security systems and doorbell viewers to the list of examples.

Check the URL before Entering Sensitive Information

• Paranoia Alert!: I had to read the “Bonus Points…” sentence four times before I could decode it. Suggest replacing “as” with “since” or “because”.

Add a footnotes link to the ToC so it appears for highlighting and clicking purposes

(There's already a div that has class="footnotes", it just needs that id and an entry in the ToC.)

We have footnotes in the doc. We should figure out an accessible way to add those in.

I'm moving to 1Password, we should not so highly recommend them.

Adding footnotes requires that all subsequent footnotes be renumbered; we'd rather have that be automatic and footnotes can get descriptive names.

Flip the switch in settings that serves this repo via Github Pages. Read the docs first, then make it happen.

Split from #9; implement nice footnotes

This duplicates #3

For this, get some kind of working shell up and running:

• Top bar
• Nav on the side
• Content down the middle

Doesn't have to be perfect, just good enough. No need to worry about theming or fonts right now, just lay the groundwork.