From e49d2df4b73052f456aa88bd0004ae66eeb921d0 Mon Sep 17 00:00:00 2001 From: redoomed1 <161974310+redoomed1@users.noreply.github.com> Date: Mon, 5 Aug 2024 04:04:25 +0000 Subject: [PATCH] style: Add subheadings on Common Threats page (#2686) Signed-off-by: Jonah Aragon Signed-off-by: Daniel Gray --- docs/basics/common-misconceptions.md | 2 +- docs/basics/common-threats.md | 70 ++++++++++++++++++++-------- docs/desktop.md | 2 +- docs/os/linux-overview.md | 2 +- docs/os/windows/index.md | 2 +- mkdocs.yml | 2 +- theme/assets/stylesheets/extra.css | 19 ++++---- 7 files changed, 64 insertions(+), 35 deletions(-) diff --git a/docs/basics/common-misconceptions.md b/docs/basics/common-misconceptions.md index 02d46363cd..c17c9d2f74 100644 --- a/docs/basics/common-misconceptions.md +++ b/docs/basics/common-misconceptions.md @@ -42,7 +42,7 @@ schema: These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. -Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities known as :material-package-variant-closed-remove: Supply Chain Attacks, which are discussed further in our [Common Threats](common-threats.md) page.[^1] +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities known as [:material-package-variant-closed-remove: Supply Chain Attacks](common-threats.md#attacks-against-certain-organizations){ .pg-viridian }, which are discussed further in our [Common Threats](common-threats.md) page.[^1] On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. diff --git a/docs/basics/common-threats.md b/docs/basics/common-threats.md index 7d8bf19ad2..88f940ca64 100644 --- a/docs/basics/common-threats.md +++ b/docs/basics/common-threats.md @@ -6,15 +6,41 @@ description: Your threat model is personal to you, but these are some of the thi Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. -- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. -- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. -- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. -- :material-package-variant-closed-remove: Supply Chain Attacks - A vulnerability or exploit introduced into otherwise good software either directly or through a dependency from a third party. -- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). -- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. -- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. -- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. -- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. +:material-incognito: **Anonymity** + +: Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. + +:material-target-account: **Targeted Attacks** + +: Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. + +:material-package-variant-closed-remove: **Supply Chain Attacks** + +: Typically a form of :material-target-account: Targeted Attack that centers around a vulnerability or exploit introduced into otherwise good software either directly or through a dependency from a third party. + +:material-bug-outline: **Passive Attacks** + +: Being protected from things like malware, data breaches, and other attacks that are made against many people at once. + +:material-server-network: **Service Providers** + +: Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). + +:material-eye-outline: **Mass Surveillance** + +: Protection from government agencies, organizations, websites, and services which work together to track your activities. + +:material-account-cash: **Surveillance Capitalism** + +: Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. + +:material-account-search: **Public Exposure** + +: Limiting the information about you that is accessible online—to search engines or the general public. + +:material-close-outline: **Censorship** + +: Avoiding censored access to information or being censored yourself when speaking online. Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-package-variant-closed-remove: Supply Chain Attacks and :material-target-account: Targeted Attacks. They will likely still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. @@ -45,6 +71,8 @@ Desktop operating systems generally lag behind on proper sandboxing. ChromeOS ha +## Attacks against Specific Individuals + :material-target-account: Targeted Attacks Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. @@ -58,6 +86,8 @@ By design, **web browsers**, **email clients**, and **office applications** typi If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://learn.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. +## Attacks against Certain Organizations + :material-package-variant-closed-remove: Supply Chain Attacks Supply chain attacks are frequently a form of :material-target-account: Targeted Attack towards businesses, governments, and activists, although they can end up compromising the public at large as well. @@ -71,19 +101,19 @@ A notable example of this occurred in 2017 when M.E.Doc, a popular accounting so There are few ways in which this type of attack might be carried out: -1. A contributor or employee might work their way into a position of power within a project or organization, then abuse that position by adding malicious code. +1. A contributor or employee might first work their way into a position of power within a project or organization, and then abuse that position by adding malicious code. 2. A developer may be coerced by an outside party to add malicious code. 3. An individual or group might identify a third party software dependency (also known as a library) and work to infiltrate it with the above two methods, knowing that it will be used by "downstream" software developers. -These sorts of attacks can require a lot of time and preparation to perform and are risky because they can be detected, particularly in open source projects if they are popular and have outside interest. Unfortunately they're also one of the most dangerous as they are very hard to mitigate entirely. We would encourage readers only use software which has a good reputation and makes an effort to reduce risk by: +These sorts of attacks can require a lot of time and preparation to perform and are risky because they can be detected, particularly in open source projects if they are popular and have outside interest. Unfortunately they're also one of the most dangerous as they are very hard to mitigate entirely. We would encourage readers to only use software which has a good reputation and makes an effort to reduce risk by: -1. Only adopting popular software that has been around for a while. The more interest in a project the greater likelihood that external parties will notice malicious changes. A malicious actor will also need to spend more time gaining community trust with meaningful contributions. +1. Only adopting popular software that has been around for a while. The more interest in a project, the greater likelihood that external parties will notice malicious changes. A malicious actor will also need to spend more time gaining community trust with meaningful contributions. 2. Finding software which releases binaries with widely-used, trusted build infrastructure platforms, as opposed to developer workstations or self-hosted servers. Some systems like GitHub Actions let you inspect the build script that runs publicly for extra confidence. This lessens the likelihood that malware on a developer's machine could infect their packages, and gives confidence that the binaries produced are in fact produced correctly. 3. Looking for code signing on individual source code commits and releases, which creates an auditable trail of who did what. For example: Was the malicious code in the software repository? Which developer added it? Was it added during the build process? -4. Checking whether the source code has meaningful commit messages (such as [conventional commits](https://conventionalcommits.org)) which explain what the change is supposed to accomplish. Clear messages can make it easier for outsiders to the project to verify, audit, and find bugs. -5. Noting the number of contributors or maintainers a program has. A lone developer may be more susceptible to being coerced into adding malicious code by an external party, or to negligently enable undesirable behavior. This may very well mean software developed by "Big Tech" has more scrutiny than a lone developer who doesn't answer to anyone. +4. Checking whether the source code has meaningful commit messages (such as [conventional commits](https://conventionalcommits.org)) which explain what each change is supposed to accomplish. Clear messages can make it easier for outsiders to the project to verify, audit, and find bugs. +5. Noting the number of contributors or maintainers a program has. A lone developer may be more susceptible to being coerced into adding malicious code by an external party, or to negligently enabling undesirable behavior. This may very well mean software developed by "Big Tech" has more scrutiny than a lone developer who doesn't answer to anyone. -## Privacy From Service Providers +## Privacy from Service Providers :material-server-network: Service Providers @@ -98,7 +128,7 @@ Thankfully, E2EE can alleviate this issue by encrypting communications between y In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). -On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. +On the other hand, web-based E2EE implementations, such as Proton Mail's web app or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. Therefore, you should use native applications over web clients whenever possible. @@ -121,7 +151,7 @@ In France you can take a look at the [Technopolice website](https://technopolice -Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, as breaches of human rights, they're most often used to disproportionately target minority groups and political dissidents, among others.

ACLU: The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward

@@ -132,7 +162,7 @@ In the face of Edward Snowden's disclosures of government programs such as [PRIS Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] -Online, you can be tracked via a variety of methods: +Online, you can be tracked via a variety of methods, including but not limited to: - Your IP address - Browser cookies @@ -140,10 +170,10 @@ Online, you can be tracked via a variety of methods: - Your browser or device fingerprint - Payment method correlation -\[This list isn't exhaustive]. - If you're concerned about mass surveillance programs, you can use strategies like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. +## Surveillance as a Business Model + :material-account-cash: Surveillance Capitalism > Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] diff --git a/docs/desktop.md b/docs/desktop.md index 265361e6d3..583f175939 100644 --- a/docs/desktop.md +++ b/docs/desktop.md @@ -231,7 +231,7 @@ Choosing a Linux distro that is right for you will come down to a huge variety o - Free and open source. - Receives regular software and kernel updates. -- Avoids X11, as its last major release was [more than a decade](https://www.x.org/wiki/Releases) ago. +- Avoids X11, as its last major release was [more than a decade](https://x.org/wiki/Releases) ago. - The notable exception here is Qubes, but the [isolation issues](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation) which X11 typically has are avoided by virtualization. This isolation only applies to apps *running in different qubes* (virtual machines); apps running in the *same* qube are not protected from each other. - Supports full-disk encryption during installation. - Doesn't freeze regular releases for more than 1 year. diff --git a/docs/os/linux-overview.md b/docs/os/linux-overview.md index 9c1f3de3d2..c752cc3c0e 100644 --- a/docs/os/linux-overview.md +++ b/docs/os/linux-overview.md @@ -67,7 +67,7 @@ Arch and Arch-based distributions are not recommended for those new to Linux (re For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](#mandatory-access-control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). -Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository) **must** be comfortable auditing PKGBUILDs that they download from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository). +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository) **must** be comfortable auditing PKGBUILDs that they download from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software [:material-package-variant-closed-remove: Supply Chain Attacks](../basics/common-threats.md#attacks-against-certain-organizations){ .pg-viridian }, which has in fact happened [in the past](https://bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository). The AUR should always be used sparingly, and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to the use of third-party Personal Package Archives (PPAs) on Debian-based distributions or Community Projects (COPR) on Fedora. diff --git a/docs/os/windows/index.md b/docs/os/windows/index.md index dae43e6c2e..fb729faf03 100644 --- a/docs/os/windows/index.md +++ b/docs/os/windows/index.md @@ -25,7 +25,7 @@ This section is a work in progress, because it takes considerably more time and ## Privacy Notes -Microsoft Windows, particularly those versions aimed at consumers like the **Home** version often don't prioritize privacy friendly features by [default](https://theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings). As a result we often see more [data collection](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) than necessary, without any real warnings that this is the default behavior. In an attempt to compete with Google in the advertising space, [Cortana](https://en.wikipedia.org/wiki/Cortana_(virtual_assistant)) has included unique identifiers such as an "advertising ID" in order to correlate usage and assist advertisers in targeted advertising. At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) the data that is sent to them. +Microsoft Windows, particularly those versions aimed at consumers like the **Home** version often don't prioritize privacy friendly features by [default](https://theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings). As a result we often see more [data collection](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) than necessary, without any real warnings that this is the default behavior. In an attempt to compete with Google in the advertising space, [Cortana](https://en.wikipedia.org/wiki/Cortana_(virtual_assistant)) has included unique identifiers such as an "advertising ID" in order to correlate usage and assist advertisers in targeted advertising. At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce](https://extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) the data that is sent to them. With Windows 11 there are a number of restrictions or defaults such as: diff --git a/mkdocs.yml b/mkdocs.yml index 51a75216aa..5634364b5c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -282,7 +282,7 @@ theme: - search.highlight extra_css: - - assets/stylesheets/extra.css?v=20240801 + - assets/stylesheets/extra.css?v=20240802 extra_javascript: - assets/javascripts/randomize-element.js?v=20240801 - assets/javascripts/feedback.js?v=20240801 diff --git a/theme/assets/stylesheets/extra.css b/theme/assets/stylesheets/extra.css index 04424be2f5..68b294dcfb 100644 --- a/theme/assets/stylesheets/extra.css +++ b/theme/assets/stylesheets/extra.css @@ -283,32 +283,31 @@ details[class="downloads annotate"] > p .md-annotation span span::before { /* Badge colors */ .pg-purple { - color: var(--pg-purple); + color: var(--pg-purple)!important; } .pg-red { - color: var(--pg-red); + color: var(--pg-red)!important; } .pg-orange { - color: var(--pg-orange); + color: var(--pg-orange)!important; } .pg-teal { - color: var(--pg-teal); + color: var(--pg-teal)!important; } .pg-brown { - color: var(--pg-brown); + color: var(--pg-brown)!important; } .pg-blue { - color: var(--pg-blue); + color: var(--pg-blue)!important; } .pg-green { - color: var(--pg-green); + color: var(--pg-green)!important; } .pg-blue-gray { - color: var(--pg-blue-gray); + color: var(--pg-blue-gray)!important; } - .pg-viridian { - color: var(--pg-viridian); + color: var(--pg-viridian)!important; } /* Make header icons smaller */