brianlovin / security-checklist Goto Github PK

Using a keyboard app that has network permissions (like Google's Gboard) is a privacy risk - these apps can contain keyloggers.

Even if the keyboard app does not have network permissions, it still might have storage permissions and keep the information on the accessible storage for another installed app that does have these network permissions that could then send it.

There are keyboards with no network permissions (e.g. AnySoftKeyboard) that have only optional storage permissions that are better in this regard.

What about iCloud Keychain? I find it incredibly useful and I understand it's for Apple platform. Why was it not mentioned in there?

It might be useful to augment the section on device pins with some resources on why TouchID and FaceID aren't terribly secure as well as how to temporarily turn them off

My wife mentioned that it doesn't necessarily "read" like a checklist right now - perhaps the sections should start out in a collapsed state that visitors can expand. Perhaps a chevron on the right to indicate open/closed state (not pictured)...

They could default closed, or maybe default closed - except for the first unchecked list item? Just throwing out what's popping into my head here, lmk what you think.

In December, Australia passed a law that thwarts strong encryption and possibly forces Australian companies to introduce a government agencies encryption backdoor into their applications. Since FastMail is an Australian company, should it still be recommended as a viable alternative to GMail, then?

Would it be helpful to add a "last updated" date to each checklist item?

I know this might lead to some trust issues if an issue doesn't need to be updated frequently, but it could help users feel more confident that they're getting the most up-to-date information.

It might also help determine when a checklist item needs to be updated, or at least re-vetted.

Not sure how we add this without really cluttering the layout, but I feel like browser extensions are key components for many of these password managers. Compiling links below for when we figure out how to integrate these...

1Password https://1password.com/downloads/mac/ (different for PC?)
Chrome: https://chrome.google.com/webstore/detail/1password-extension-deskt/aomjjhallfgjeglblehebfpbcfeobpgk?hl=en
Safari: https://safari-extensions.apple.com/details/?id=com.agilebits.onepassword4-safari-2BUA8C4S2C
Firefox: https://1password.com/browsers/firefox/

LastPass https://lastpass.com/misc_download2.php
Chrome: https://chrome.google.com/webstore/detail/hdokiejnpimakedhajhdlcegeplioahd
Safari: https://download.cloud.lastpass.com/mac/lastpass.safariextz
Firefox: https://lastpass.com/lastpassffx/xpi.php
Plus there's a second Chrome extension for this one...

Dashlane
Chrome: https://chrome.google.com/webstore/detail/dashlane-password-manager/fdjamakpfbbddfjaooikfcpapjohcfmg?hl=en
Safari: installed thru the desktop app apparently?
Firefox: maybe this https://www.dashlane.com/firefox-install

BitWarden https://github.com/bitwarden/browser
Chrome: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb?hl=en
Safari: https://safari-extensions.apple.com/details/?id=com.bitwarden.safari-LTZ2PFU5D6
Firefox: https://addons.mozilla.org/firefox/addon/bitwarden-password-manager/

As an alternative to WhatsApp or so:

• https://threema.ch
• for iOS and Android
• web version (across OSes) available
• encryption audited and Swiss-based

In my opinion, enabling localization will help a lot of people to understand more. Since this is related to not only geeks but also normal users. It will be a good idea if we add it. Can I take this issue? If can I take it, may I know the checklist for making a pull request?

Quite famous in Germany is https://posteo.de, but of course internationally available.

This doesn't seem to be listed:

https://www.torproject.org/docs/android.html.en

Hi @brianlovin 👋

When you launched the project, we briefly talked about creating a Todoist template to make the security checklist actionable for the many Todoist users

I've just soft published it here. I added you as the author, and "Credits to securitycheckli.st ->" as a task in the project template.

I'd love to know if you're cool with this as a template, you as the author, etc 👍

I suggest we reorder the checklist items generally on fastest/easiest to slowest/hardest, but also consider if certain items build or link to each other.
Just looking at it as a list, here's the best reordering I could come up with:

Devices:
Keep your devices up to date
Use two-factor authentication
Use a password manager
Create a strong device passcode
Encrypt your devices

Internet:
Use encrypted messaging apps when sharing sensitive information
Change your DNS settings to 1.1.1.1 or 9.9.9.9
Use a VPN
Use a privacy-first web browser
Use a privacy-first search engine
Use a privacy-first email provider
Set up a mobile carrier PIN
Freeze Your Credit

Learn and Review:
Educate yourself about phishing attacks
Review the privacy of your physical space
Review location, camera, and other sensitive device permissions
Review and remove metadata attached to photos you share
Review your social media privacy settings

Startpage offers much better results than duckduckgo, in my opinion (especially for developers). I do miss the "bangs" that duckduckgo offers, though. They recently redesigned the whole look to look really clean. What do you think?

Burners aren't just for sketchy deals anymore, they're super useful for things like Craigslist meetups and giving your information on websites that don't need it (packaging companies will print your phone number right. on. the. label 😱 )

Some resources:

• Google Voice
• Burner
• Hushed
• Too
• CoverMe
• ZipSIM

https://phishingquiz.withgoogle.com/

Might be nice. Doesn't need to be a number - how bout a Twitter circle?

In keeping with other items in the checklist which list many choices, the DNS recommendation should provide an alternative to Cloudflare's 1.1.1.1 service. I suggest 9.9.9.9, because it's focused on security and privacy.

From their website:

Security: Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting to malware or phishing sites. Whenever a Quad9 user clicks on a website link or types in an address into a web browser, Quad9 checks the site against a list of domains combined from 19 different threat intelligence partners. Each threat intelligence partner supplies a list of malicious domains based on their heuristics which examine such factors as scanned malware discovery, network IDS past behaviors, visual object recognition, optical character recognition (OCR), structure and linkages to other sites, and individual reports of suspicious or malicious behavior. Based on the results, Quad9 resolves or denies the lookup attempt, preventing connections to malicious sites when there is a match.

Privacy: No personally-identifiable information is collected by the system. IP addresses of end users are not stored to disk or distributed outside of the equipment answering the query in the local data center. Quad9 is a not-for-profit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally-identifiable data, and the core charter of the organization is to provide secure, fast, private DNS.

Software updates and bug patches are annoying admittedly, but they are necessary in order to fix system's that are vulnerable.
I think adding a section about updates and why it is important to perform updates especially on devices attached to the internet would help raise awareness and encourage people to do updates when they see them.
What do you think?

The website should mention that you shouldn't use a password manager for both, passwords and 2FA codes.
Reason: this makes the password manager (which usually is locked with just one password) the single point of failure. 2FA actually becomes 1FA then, as the password manager is the only factor used for authentication.

Last one for now, I promise!

Would having an additional resource section be useful here? This checklist is a handy representation of a lot resources and articles I've seen in the past, and having a section for additional reading info might be useful.

Some resources I recommend:

• The Smart Girl's Guide to Privacy
• HackBlossom's DIY cybersecurity for domestic violence survivors
• National Network to End Domestic Violence guide to staying safe online
• ACLU's guide to staying safe when you say #MeToo
• DeleteMe - a service that can do these things for you
• Speak up & Stay Safe(r)

Another concern that might be useful to cover is moving your IoT devices to a guest network on your home router. Including Mozilla's guide Privacy not included may be useful here as well

Many services that are shown on the website have an online service: all of the cited email providers, Duckduckgo, password managers, and one of the proposed messaging app (Wire). An "Online" or "Web" item in the liste would be useful to show if there's an online alternative when a specific platform isn't shown.

If we take Duckduckgo for example:

• Windows -> directs to the website
• macOS -> directs to the website
• iOS -> directs to the iOS app
• Android -> directs to the android app
• Linux -> directs to the website

We could remove WIndows, macOS and Linux, and add "Web" directing to the website. And with the coming of age of PWAs, I think it'll be soon useful to provide this option.

Use a password manager: 1Password
"Sign up with Security Checklist to get 3 months free"
https://start.1password.com/sign-up/family?c=SECURELIST-FJN7FIKQ

How is this being offered?
What does Security Checklist get for offering this, if anything?
SECURELIST-FJN7FIKQ appears to be a referral/affiliate link code?

Thanks.

Your photos can tell everyone who’s watching them

• where you live
• where you spend your time
• when there is noone home
• where you park your car
• and other information that you wouldn’t want to tell

What is Geotag Security and How it Helps to Protect Your Family
How to Avoid the Potential Risks of Geotagging
How to Turn OFF Geotagging For Photos On iPhone and iPad
How To Turn off Geotagging in Android

This is the most important part of security!
popular software

A key area of home network security is making sure your router is up to date.

A few recommendations:

• Ensure that your router is using the most recent firmware (advanced users can install OpenWRT). This is as easy as downloading a new firmware from the manufacturer of your router and uploading it to your devices admin panel.
• Ensure that the admin password on your router is changed from the default.
• Set your DHCP settings to offer 1.1.1.1 and 1.0.0.1 as the advertised DNS server.
• Ensure that your wifi is using WPA2 and to disable WPS

Resources:

• How to Update Your Router - Toms Guide
• Why you need to update your router - Consumer Reports
• Rarely Patched Software Bugs in Home Routers Cripple Security

Sharing one specific card could be a good idea.

https://securitycheckli.st/#name-of-the-card

This is only a suggestion, but there is a website hypothes.is and they allow anyone who creates an account with them to annotate/highlight a web page.

Hypothes.is
Hypothes.is for Publishers

Now I'm not saying use them.
But I like the idea.

I think it would be cool to have a section/space where people can ask questions/help each other and highlight and add additional information about a topic, that may be more advanced?

What do you think?

@zachflower @brianlovin @mknepprath @dmleong

they already have a hardware 2fa built in, attestation of OS, full disk encryption, etc etc

Warning: validateDOMNesting(...): <a> cannot appear as a descendant of <a>.
    in a (at App.js:32)
    in li (created by Context.Consumer)
    in StyledComponent (created by style__AppSourcesListItem)
    in style__AppSourcesListItem (at App.js:31)
    in ul (created by Context.Consumer)
    in StyledComponent (created by style__AppSourcesList)
    in style__AppSourcesList (at App.js:47)
    in a (created by Context.Consumer)
    in StyledComponent (created by style__AppRowContainer)
    ...

A console warning is being thrown because AppRowContainer is a link that contains nested links - AppSourcesListItem. Maybe everything to the left of AppSourcesList should be the "main" link instead of the whole row to prevent conflicts. Low priority - I haven't seen any bugs caused by this beyond the warning.

Following the dicussion in this PR: #82:

WhatsApp is owned by Facebook. Despite the use of end-to-end encryption there's an obvious conflict of interest. I think it should be at least placed at the end of the list, or even replaced by a open source alternative, like Matrix/Riot.im (it's also self-hostable, which is a good thing).

Tutanota is a great email provider on par with ProtonMail and is just as privacy focused, they definitely deserve to be listed in the email section.

https://tutanota.com/

Cheers

Would recommend that there be sections, related to risk tolerance and user-needs, which will help organize the recommendations better.

For example, what might be relevant for a journalist hiding out covertly in a hostile country would be very different from the average internet user.

Would be open to contributing, but I think if the average user sees a long list they're more likely to just give up entirely rather than dip their toes in and start the journey.

Just wanna to share: https://nomoregoogle.com/. Maybe this will be useful.

..., maybe?

Visa
https://marketingreportoptout.visa.com/OPTOUT/request.do

Mastercard
https://www.mastercard.us/en-us/about-mastercard/what-we-do/privacy/data-analytics-opt-out.html

Is actually open-source compared to things like 1Password and does not have the security problems of web applications.

• for Windows/Linux/MacOS: https://keepassxc.org/
• for Android (Google Play & F-Droid): https://github.com/Kunzisoft/KeePassDX
• iOS: MiniKeePass: https://itunes.apple.com/us/app/minikeepass/id451661808
• website: https://keeweb.info/ (can also be integrated/self-hosted, e.g. with Nextcloud)
• (as open-source, many other integrations, such as legacy keepass that only runs on Windows though)

Linux is missing from the listed platforms. Considering that Linux is often used as a desktop in countries where people cannot afford Windows or macOS it would be a big help to global security if we can get Linux added to the list of platforms.

Another privacy item that might be useful is turning off frequently visited locations on iOS

Would a section on reviewing the different ways that a phone is tracking you (by sending aggregate data to developers) be a useful section as well? 🤔

I don't know this tools fits the security checklist so I'm referring to it here prior to opening a PR: https://mailcloak.net/

Telegram is most similar to WhatsApp (without being owned by Facebook), and Wickr is
pretty much the most secure messagining app out there. Are these worthy of consideration on the list Brian?

I know of these at least this website:

• https://twofactorauth.org/

which tracks services which support two-factor authentication (and how they do so). A link in the two-factor section would be great. Filing as an issue rather than a PR since I suspect there are other such websites out there as well.

Bitwarden is completely open source, and free with basic usage. Oh, and you can self-host! Additionally, there have been some security incidents with dashlane and lastpass. What do you think?

Pull request by @felixfoertsch #38, Thanks!

Thanks for this site! Really love all the suggestions in this.

Could we also add a section for removing yourself from popular address aggregate sites? I find this is a huge issue with leaking personal information and you can also remove your family members' information at the same time!

Most of these sites are also updated every time a person moves, so this would be good info to have on the checklist if one moves.

There seems to be a huge amount of interest in this list and that is really amazing. When I first saw this list I figured that it was edited in mind for the non-tech savvy individual. I'm seeing lots of issues which suggest adding apps and tools which are way beyond the means of the average internet goer.

@brianlovin maybe it would be best to include the intended audience for this list so we can figure out whether suggestions meet some sort ease-of-use criteria? I'm thinking something like:

I'll say though at the same time, advanced topics or suggestions would be useful if a technical audience could self select. I wonder if there could be some UI that would allow someone to view the more advanced security suggestions?