Suggesting updates for Chapter02-Overview-LoggingIn-and-Authentication.md #115
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
martinshelton
commented
Aug 16, 2021
martinshelton
commented
- Removed "this is a living document" sentence and suggestion for NICAR18 documents, which do not appear to have been updated since 2018
- Fixed broken "resource roundup" link
- Removed "authorization" definition (this term does not appear again and may not add much, but no strong feelings about this!)
- Removed paragraph about obfuscation with Gmail addresses (It's a great tip, but not sure if this really helps with obfuscation. No strong feelings!)
- Removed LastPass as a recommendation in favor of 1Password, in light of LastPass's problematic new parent company: https://twitter.com/tenacioustek/status/1362049591068291076
- Replace old 2FA-related links
- Added some photos to the 2FA section and replaced the photo in the HTTPS section
- Replaced some password manager links
- Replaced links and wordsmithed the biometric unlock section
- Removed ProtonMail suggestion for persistent email safety (this won't provide any added privacy, except for emails between ProtonMail users, so it might not be appropriate for the threat model outlined here, but we should probably plug it elsewhere in secure comms sections)
- Clarified a bit about the difference between HTTP and HTTPS, and that HTTPS is now standard, and not necessarily a sign of safety
- Consolidated two sections on temporary email into one
- Edits for clarity throughout
- Removed "this is a living document" sentence and suggestion for NICAR18 documents, which do not appear to have been updated since 2018 - Fixed broken "resource roundup" link - Removed "authorization" definition (this term does not appear again and may not add much, but no strong feelings about this!) - Removed paragraph about obfuscation with Gmail addresses (It's a great tip, but not sure if this really helps with obfuscation. No strong feelings!) - Removed LastPass as a recommendation in favor of 1Password, in light of LastPass's problematic new parent company: https://twitter.com/tenacioustek/status/1362049591068291076 - Replace old 2FA-related links - Added some photos to the 2FA section and replaced the photo in the HTTPS section - Replaced some password manager links - Replaced links and wordsmithed the biometric unlock section - Removed ProtonMail suggestion for persistent email safety (this won't provide any added privacy, except for emails between ProtonMail users, so it might not be appropriate for the threat model outlined here, but we should probably plug it elsewhere in secure comms sections) - Clarified a bit about the difference between HTTP and HTTPS, and that HTTPS is now standard, and not necessarily a sign of safety - Consolidated two sections on temporary email into one - Edits for clarity throughout
zenmonkeykstop
requested changes
Aug 20, 2021
| @@ -1,10 +1,8 @@ | |||
| # Security in the Newsroom: Who are you? | |||
|
|
|||
| This is a living document and the most recent version can be found at: <https://goo.gl/7ojKpw>. This lesson plan, which covers Passwords and Two Factor Authentication is a great hour long brown-bag session that was shared with us by Alan Palazzolo at the Minneapolis Star Tribune. For other great overview lesson plans, take a look at: | |||
| This lesson plan, which covers Passwords and Two Factor Authentication is a great hour long brown-bag session that was shared with us by Alan Palazzolo at the Minneapolis Star Tribune. For other great overview lesson plans, take a look at: | |||
There was a problem hiding this comment.
There's nothing linked or reference after "..take a look at:"
There was a problem hiding this comment.
Going to go ahead and drop that line, not sure what it refers to.
| - Even if you don’t think you are at risk, we are all avenues to other people who may be targets. [*You are worthy of a data breach*](https://medium.com/@mshelton/journalists-you-are-worthy-of-a-data-breach-55f8e53fd3fe). | ||
|
|
||
| ## Some terminology | ||
|
|
||
| Just to make sure we are all on the same page, here are some top-level words and concepts: | ||
|
|
||
| - **Authentication**: A mechanism used to identify someone. The most common mechanism is a username and password, but there are others, such as PIN codes, fingerprints, and more. | ||
| - **Authorization**: The ability to access a particular resource. For instance, your user on your computer has access to edit certain files, but not core, system files. |
There was a problem hiding this comment.
It's not explicitly used in existing lesson plans but it could be in future ones, and it is a key concept. I'd vote for keeping it.
There was a problem hiding this comment.
No problem, adding that back in!
| @@ -49,9 +45,9 @@ It is very possible that you have had an account compromised. The site “[*Have | |||
|
|
|||
| **Your identity**. If someone has access to your account, they can do things as you, such as post things to Twitter, reset accounts, or access sensitive information. | |||
|
|
|||
| The Twitter account of CNN’s host, Anderson Cooper, was [*compromised*](http://thehill.com/homenews/media/364646-anderson-cooper-says-twitter-account-hacked-after-tweet-calling-trump-a) just as recently as December. Deray Mckesson ([*@deray*](https://www.wired.com/2016/06/deray-twitter-hack-2-factor-isnt-enough/)), a prominent figure in the Black Lives Matter organization and movement, had his account hacked into, even with second-factor authentication enabled. This is a good instance where one thought a security practice was solid, but in reality, it had holes. | |||
| In 2017, the Twitter account of CNN’s host, Anderson Cooper claimed his account was was [*compromised*](http://thehill.com/homenews/media/364646-anderson-cooper-says-twitter-account-hacked-after-tweet-calling-trump-a). And even with two-factor authentication enabled, Deray McKesson ([*@deray*](https://www.wired.com/2016/06/deray-twitter-hack-2-factor-isnt-enough/)), a prominent figure in the Black Lives Matter movement, had his account breached. The lesson: High-profile individuals are disproportionately targeted, and must take extra steps to lock down their account tightly. | |||
| @@ -66,23 +62,25 @@ Most of us have hundreds of services that require a username and password. Most | |||
|
|
|||
| There are two popular password manager products that you should consider using: LastPass and 1Password. Both have similar features, but **LastPass** has a free tier with all the main features, and it can be used/installed without installing an application on your computer, so it is suggested for most users. | |||
There was a problem hiding this comment.
Is this still true given shenanigans?
There was a problem hiding this comment.
Agree, good catch. Nixing LastPass here.
|
|
||
| ## Biometric authentication | ||
|
|
||
| Often used in place of a password, biometric authentication is using something that is unique to your physical body to prove that you are you. The most common is fingerprint scanning on our phones, as well as the face recognition that Apple has recently introduced. | ||
|
|
||
| Biometric authentication has its pros and cons (need reference). If you want to use biometric authentication, it is suggested to enhance it with a password or PIN; for instance, on Android, you can require the password every few days. If you are at a higher risk than most, such as working on very sensitive materials, use both a password and biometrics every time. | ||
|
|
||
| The use of biometric authentication is not new, but its consumer use is relatively new, and it really isn’t known what the [*practical*](https://views-voices.oxfam.org.uk/aid/2017/11/biometrics-help-us-answer-question) or [*legal*](https://www.popsci.com/iphonex-facial-recognition-legal-unlock) consequences of it are. | ||
| The use of biometric authentication is not new, but its consumer use is relatively new, we are still learning about the [*practical*](https://techcrunch.com/2021/07/26/court-orders-us-capitol-rioter-to-unlock-his-laptop-with-his-face/) and [*legal*](http://www.pennstatelawreview.org/print-issues/face-it-the-convenience-of-a-biometric-password-may-mean-forfeiting-your-fifth-amendment-rights/) implications of biometric device unlock software. In general, in risky situations where there is a reasonable chance your device might be seized (e.g., when visiting a border or protest) it may be best to disable biometrics. |
There was a problem hiding this comment.
I think you can make a stronger recommendation here - face/fingerprint unlocking should be disabled in situations where arrest/search and seizure are more likely.
There was a problem hiding this comment.
Tried to strengthen the recommendation here.
Responding to @zenmonkeykstop's review
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.