Update SECURITY.md

This commit is contained in:
mayfrost 2018-04-14 00:17:56 -03:00 committed by GitHub
parent 3df5af6e04
commit 472942bf12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,24 +1,24 @@
# SECURITY IN ORDERS OF DIFFICULTY # SECURITY IN ORDERS OF DIFFICULTY
Not necessarily meant to be followed step by step, although it is recommended. Not necessarily meant to be followed step by step, although it is recommended. Some steps are valid during all levels, others give way to better alternatives further on.
* __Level 1__: Avoid using your real name online and avoid giving away any personal information. You can use The Random Identity Generator (rig) to generate an online persona and/or login sites using passwords from [BugMeNot](http://bugmenot.com). * __Level 1__: Avoid using your real name online and avoid giving away any personal information. You can use [The Random Identity Generator](http://rig.sourceforge.net/) (rig) to generate an online persona and/or login sites using passwords from [BugMeNot](http://bugmenot.com).
* __Level 2__: Don't save your passwords on plaintext or in some "cloud" service like Lastpass and don't save logins on your phone or web browser. Create and remember one good main password (must have lowercase, uppercase, numbers and symbols, be longer than 8 characters and be change bimonthly), use KeePassX (and I mean the one with an X) and use the option to generate different passwords for each account you have. Other option is kpcli which works on the command line and is just a perl script (the best option). * __Level 2__: Don't save your passwords on plaintext or in some "cloud" service like Lastpass and don't save logins on your phone or web browser. Create and remember one good main password (must have lowercase, uppercase, numbers and symbols, be longer than 8 characters and be change bimonthly), use KeePassX (and I mean the one with an X) and use the option to generate different passwords for each account you have. Other option is [kpcli](https://github.com/alecsammon/kpcli) which works on the command line and is just a perl script (this is the best option).
* __Level 3__: When possible opt for IRC instead of non-publicly auditable chat networks. A good and easy IRC application is Hexchat, another is irssi (best option). You can use BitlBee to access other chat networks through an IRC client if you need. * __Level 3__: When possible opt for IRC instead of non-publicly auditable chat networks. A good and easy IRC application is Hexchat, another is irssi (best option). You can use [BitlBee](https://wiki.bitlbee.org/) to access other chat networks through an IRC client if you need.
* __Level 4__: Use Searx instead of Google when in need to search on the web. * __Level 4__: Use [Searx](https://github.com/asciimoo/searx/wiki/Searx-instances) instead of Google when in need to search on the web.
* __Level 5__: When possible opt for Mastodon (GNU Social) instead of non-publicly auditable social networks known to sell private information. * __Level 5__: When possible opt for [Mastodon (GNU Social)](https://joinmastodon.org/) instead of non-publicly auditable social networks known to sell private information.
* __Level 6__: Replace your e-mail provider with a more safe, more appropriate provider. A good option is cock.li. * __Level 6__: Replace your e-mail provider with a more safe, more appropriate provider. A good option is [cock.li](https://cock.li/).
* __Level 7__: Use an e-mail client that can to block web beacons (tracking pixels). Thunderbird is easy and has a plugin for this, Mutt or Alpine are better options. * __Level 7__: Use an e-mail client that can to block web beacons (tracking pixels). Thunderbird is easy and has a plugin for this, Mutt or Alpine are better options.
* __Level 8__: Encrypt your e-mails with GnuPG. Thunderbird has the Enigmail plugin for this, you can can script the use of GPG on Mutt. * __Level 8__: Encrypt your e-mails with GnuPG. Thunderbird has the Enigmail plugin for this, you can can script the use of GPG on Mutt.
* __Level 9__: Delete any metadata from files you share on the internet. MAT is an easy tool for this, ExifTool is a better option. * __Level 9__: Delete any metadata from files you share on the internet. ExifTool in combination with [renamer](https://github.com/CaptainBlacklace/Renamer) is a good option.
* __Level 10__: Anonymize your writting style on any text with anti stylometry software like Anonymouth when you share documents. * __Level 10__: Anonymize your writting style on any text with anti stylometry software like [Anonymouth](https://github.com/psal/anonymouth) when you share documents.
* __Level 11__: Use your web browser with javascript, cookies and any telemetry (like "pocket", geolocation and WebRTC) disabled and reduce the browser fingerprinting. Enable javascript and cookies only on selected sites. GNU IceCat is the best option, Firefox works too. * __Level 11__: Use your web browser with javascript, cookies and any telemetry (like "pocket", geolocation and WebRTC) disabled and reduce the browser fingerprinting. Enable javascript and cookies only on selected sites. GNU IceCat is the best option, Firefox works too.
### Start of medium level security ### Start of medium level security
* __Level 12__: Install LineageOS on your phone and use F-Droid without gapps (Google app store), with IceCatMobile for web browser, KeePassDroid, AFWall+ and Android IMSI-Catcher Detector. Use Yalp Store or Aptoide (or download from apkmirror/apkpure) with microG if you need a gapps app. * __Level 12__: Install LineageOS on your phone and use F-Droid without gapps (Google app store), with IceCatMobile for web browser, KeePassDroid, AFWall+ and Android IMSI-Catcher Detector. Use Yalp Store or Aptoide (or download from apkmirror/apkpure) in combination with microG if you need a gapps app.
* __Level 13__: Use GNU/Linux on your computers, preferably free from "systemd". PCLinuxOS is an easy first choice, Devuan is a better option. Stay away from something called BSD. * __Level 13__: Use GNU/Linux on your computers, preferably free from "systemd". PCLinuxOS is an easy first choice, Devuan is a better option. Stay away from something called BSD.
* __Level 14__: Uninstall Avahi, CUPS (replace with Line Printer if needed), Telnet, the R-tools (rlogin, rsh, rcp, rwho, rexec), fingerd, and if unused uninstall services like ssh/web/ftp/mail. * __Level 14__: Uninstall Avahi, CUPS (replace with Line Printer if needed), Telnet, the R-tools (rlogin, rsh, rcp, rwho, rexec), fingerd, and uninstall unused services like ssh/web/ftp/mail.
* __Level 15__: Use Uncomplicated Firewall to block inbound AND outbound network traffic, permitting only what you need. * __Level 15__: Use Uncomplicated Firewall to block inbound AND outbound network traffic, permitting only what you need.
* __Level 16__: Use Firejail or Bubblewrap to sandbox your applications. * __Level 16__: Use Firejail or Bubblewrap to sandbox your applications.
* __Level 17__: When possible give your applications a separate user account and use sudo, chroot, fakeroot, ulimit and quota with them. * __Level 17__: When possible give your applications a separate user account and use sudo, chroot, fakeroot, ulimit and quota with them.