With security the first question always needs to be, "What is your threat model?"
I'm sure this list has some valuable tips but it just jumps into a bunch of "do this, don't do that" action items without contextualizing recommendations for what an individual is trying to protect themselves against, or what they don't care about.
One of the first things I noticed is "Avoid Face Unlock." Their rationale is:
> there are numerous ways to fool it and gain access to the device, through digital photos and reconstructions from CCTV footage.
The words "fool it" link to a four year old Forbes article that doesn't actually describe any successful attacks in detail. I'm not saying that there aren't successful attacks (there are, particularly for devices that rely entirely on a front-facing camera), but I find the lack of nuance here to be unhelpful.
A cheap smartphone that just uses its front-facing camera for facial recognition is not the same thing as a high-end smartphone that incorporates a depth sensor, and this list should communicate that clearly and link to more relevant information. (Like actual, successful attacks on facial recognition systems.)
Facial recognition has a long history of attacks, poorly designed implementations, and abuses. You can avoid every one of those problems (past, current, and future) by just not using it. It doesn't matter if you've got a cheap cell phone or the newest thing off the line, attacks will evolve as technology patches up old problems. Sources and links to more detailed info isn't a bad idea, but specific examples will be outdated much more quickly than the general advice will remain relevant.
The alternative is a pin that anyone can watch you type in. “gain access to the device, through digital photos and reconstructions from CCTV footage” is a hell of a lot harder than reconstructing a pin from CCTV footage ;)
> The alternative is a pin that anyone can watch you type in.
If they're standing directly over your shoulder sure, but you show your face to far more people. You may also be able to have your phone scramble the order of the numbers to make it harder for people to know your pin, or use gestures to unlock your device. You can also reset you pin far easier than you can reset your face.
face recognition can work even if you're asleep, unconscious, or dead too, but nobody can ask you for a pin in that situation.
List is saying "personal checklist" and then each point has "recommended", "optional", "advanced".
By reading with understanding - threat model for this list is average Joe that is using internet on daily basis, but is not too technical maybe decent at using computers, so recommended for me seems like good baseline for everyone.
Optional is for showing what are other options that someone might try out, but mostly are not that important.
Advanced is for showing off that author knows more than basics, hence implementing any of it would be security larping most of the time.
Well maybe author should add more context but from what I see, someone can still infer context of recommendations, without stating it explicitly.
I think most people's threat model is the same. They just want to protect all their data against all threats, to a reasonable level of inconvenience. It's too general to be useful.
So, instead of trying to come up with a threat model, just use best practices. Backups, password manager, blockers in browser, software updating, firewalls, etc.
Now, if you're the 1 person in 100 or 1000 who has a stalker or who is ordering drugs over the internet, trying to create a specific threat model is appropriate.
Part of the reason to have a list like this is so people can pick up good security practices without having to think about and understand possible threat vectors.
For example, it's unlikely a lay person would even know that they should be checking that they're looking at https versions of sites and they probably shouldn't have to know that. We as the tech community could easily just recommend them the HTTPS everywhere extension and call it a day.
Hard disagree here - without knowing the why, people will inevitably lapse. Your example is a great one - if a lay person saw a website that wouldn't load with the extension you recommended them, they'd just turn it off if they didn't know why it mattered.
No, I disagree. Most people are so baffled by computers that they don't want to know "why" or "how things work". They just want to be told what to do, or better still they just want you to make it work.
So just tell them "here, do backups THIS way, use THIS password manager, I've installed an ad/script-blocker in your browser, now you're in better shape".
For android use Keepass2Android which is compatible with KeePassXC.
If I had to pick between LastPass and BitWarden, I would go with Bitwarden.
I personally use KeePassXC and Keepass2Android with the pw files synced across 3 phones and 3 laptop/desktops using syncthings and have had no problems.
Why anyone who takes personal digital security seriously would trust a central third party system with all their passwords is beyond me. It's not exceptionally difficult to self-manage passwords effectively. No central system is secure from a major breach and it's laughably naive to think it is, and also, breaches can come close to happening at any time, or just happen. For example: https://www.theverge.com/2021/12/28/22857485/lastpass-compro....
I've only had time to skim through this - looks like it's comprehensive.
Also depressing how this is so far beyond what the majority of people are aware of / are willing to do. I worry what this means for Cybersecurity in general.
I think tools need to get easier, and be "safe by default".
For example, operating systems should be aware of and support third-party encryption such as VeraCrypt. Today, a VC volume may be reported as "unformatted" by the OS. Opportunity to enable VC encryption on system disk should be right in the Windows Home installer.
Browsers should default to having ad/tracker-blockers either built-in, or an extension such as uBlock Origin installed by default. Default to having location services disabled, or extension such as Location Guard installed.
When you install an OS, the installer should ask "okay, what password manager do you want to use ?". It's okay for the user to say "none", but there should be subtle pressure. Same with VPN, same with firewall, same with backup software. OS should have built-in anti-virus (as Windows does), but also prompt up front for which anti-virus user wants ("none" is a choice).
Browsers need to push back somehow against web sites that want to know all the details of a device. Maybe default to display size and OS type and other details not revealed to JS.
Software updating should default to "automatic" (user can change it), and include all apps (including third-party apps) as well as OS.
Strange that the section on password managers doesn't mention LastPass, and the 2FA section doesn't mention Google Auth. If they have criticisms of those tools, it would be better to share them. Don't just ignore them, they are two of the most popular tools in personal security.
Both of these are proprietary, I assume that's why they're left out.
Lastpass is tied to a third party service too, which seems like an odd compromise for the security of secrets. It also bundles a lot of trackers. I'd suggest people move away from a proprietary security tool that bundles spyware.
What's special about Google Auth? Why would you ever recommend that over any other alternative?
I'm sure this list has some valuable tips but it just jumps into a bunch of "do this, don't do that" action items without contextualizing recommendations for what an individual is trying to protect themselves against, or what they don't care about.