Storing the "best information" on security practices by topic

(Continuing the discussion from Stuff happening with Tinfoil)

As @cbanga and @grugq pointed out, we have a lot of useful information that could be stored somewhere more accessible than the forum. The forum is useful for discussion, but it may not be ideal for documenting up-to-date, recommended practices. Ideally it's searchable and allows contributions from everyone here. Rather than an "archive" of unchanging information, it should be responsive to new tools and practices.

The question is, what should this system look like? It could be an FAQ, it could be a wiki, but maybe it's something else. What do you think?

Is Github too dorky? Best practices could be a .md file & changes could be added/approved/rejected as pull requests. The whole thing could be put up as a static site with Github Pages & Jekyll. A domain re-direct from https://resources.tinfoil.press or something similar would take the user to the page hosted on Github Pages. This "resources" subdomain could be linked to at the top of the forum over here at https://tinfoil.press.

Obviously, this wouldn't be as democratic as a reddit/hacker news setup, where users upvote/downvote, but I think that's a good thing, when it comes to assembling canonical information. There's a good reason why "copying and pasting from stackoverflow" is a joke, or why citing Wikipedia in academic papers is unacceptable. Peer review is a horizontal process, but the "stable" results of that process have to be frozen, with further changes vetted, otherwise the results become chaotic and unreliable/unusable.

Github pull requests, with a small circle of mods controlling the repo, may be a good balance between tapping the hive mind and vetting suggestions.

Capturing the knowledge created in this forum is a great idea. I have a few thoughts on this.

Archiving the raw conversations: One easy first step that you could take is to allow web-archiving bots to access the forum. Currently, if I want to use Internet Archive to save parts, or all, of the valuable information here for anyone to view in the future I can't do it through any of the various web-archives out there. You can enable this by adding the following to your robots.txt file.

User-agent: ia_archiver
Disallow:

Making it available: If there is a person who is willing to do the work to capture the knowledge that is contained in this forum then I think that a GitHub repo is a fine back-end, as long as there is a github page or other front-end for users to view. It sounds like that is the work-flow that is being proposed. If we want a more collaborative, or user submitted interface, github is inaccessible to the non-initiated and will reduce contribution.

Leverage existing resources: There are some great examples of curated security practices projects that use github to store both their content and authoring/publication code. I would say that it would make sense to leverage one or more of these existing projects as a base to present whatever information that we decide to present. It increases the probability of actually accomplishing the task, and forces us into an information presentation schema that has gone through consideration and testing already.

https://www.digitaldefenders.org/digitalfirstaid/
https://github.com/RaReNet/DFAK

https://securityinabox.org/
https://github.com/securityinabox/siabguide

https://ssd.eff.org/en
https://github.com/EFForg/ssd

https://github.com/securityfirst/Umbrella_android
https://github.com/securityfirst/Umbrella_android
https://github.com/securityfirst/Umbrella_content

Capture the context: There is a lot of useful information that has been contributed to this forum. But, I think that if the responses get captured as sets of "best practices" it will simply add more confusion for those seeking out guidance. The guidance should be presented along-side the context which the information was originally provided within. This thread without the question would be useful. With the question it can be immensely valuable. A security practices "comparison shopper" can compare their perceived the threat actor, motivation, and the tools and channels they already use against the original scenario and reason accordingly. When I work with groups or individuals who have already considered their security practices without one-on-one support for threat modeling and risk assessment I always have to first work them back from trying to implement "best practices" that are ill suited to their adversaries and often require more effort than more-effective solutions.

The easiest path would be to make context-specific advice into one format, and generic guidance into another. SSD did this with their briefings, overviews, and tutorials sections.

Another easy, but long-term archive dependent, path to achieve this end is to embeded links to the conversation source to and best practices provided to the user.

The slightly more difficult path would be to simply make sure that each best practice is appended with a swath of meta-data about the context (adversary capabilities, communication channel, level of effort, etc.) in a completely non-documented and fluid manner. This way the short-hand, subjective, information about the advice is captured and presented to the reader without having to come up with a proper schema. This one is dangerous, because most anyone would rather "paint the bike shed" debating the proper schema than actually doing the work of transferring and annotating the content to the site. (For those interested in talking at length about security information and threat information schema's feel free to reach out to me.)

I like the idea of a git repository with a wiki. Personally, I'd prefer to see GitLab as it's open source, but that's just a personal opinion.

I think that git may be a bit too nerdy, but if we're just managing a wiki/readme sort of situation through it, there are guides to make this manageable amongst even those who are completely unfamiliar. And certainly people from the community who are most active (and more likely to have a good technical understanding of git) will likely be the most frequent contributors anyways.

I think a solution like git, where trusted common contributors to the forum/security experts approve MR's through some sort of policy, would lead to a fairly well organized and technically valuable document.

I do heavily agree with @stuohy, especially about archiving the forum, especially through internet archive.

Using a git based system will add massive friction. Unless there is a website interface to edit the wiki, there will be very few contributors. GitLab has a wiki system that is very easy to use, supports Markdown, and is basically clean.

If people have to send PR, it will never have wide adoption. That may be fine if there are people that volunteer to administer the content.

Personally, I would suggest anything that can be edited from a browser that supports markdown.

Maybe GitLab for managing contributions, since it has a wiki and people don't have to use git, plus a static site that uses Jekyll, since both GitLab and Jekyll use Markdown files? That way the information can be presented in a visually appealing way on a static site, and contributors can add ideas on the GitLab wiki "backend."

Interesting ideas. I'm a fan of GitLab, but I also want it to be accessible to less technical users (who might find git intimidating). I wonder if there are any simpler alternatives? (e.g., Google Docs, Etherpad). The downside is that permissions and version controlling aren't ideal in those systems.

With GitLab, the GUI web interface is pretty simple to use, and you do get the benefit of attributed versioning for history and optional change comments. The notes would be nice for referencing in the future just why information was added or removed.

Another questions is: what sort of information should be published? I imagine most people agree that we shouldn't write another "guide" about how to use tools a, b, & c.

@jonathanstray has mentioned making context-specific rules of thumb, which is both clearly useful and hard to accomplish, since small changes in the context can change the corresponding "best practice" dramatically.

So, I largely agree with @jonathanstray that basing rules of thumb around real world scenarios is the right way to go, I just think that modeling those rules based on adversaries (FVEY nation state, criminal gang, local police, etc) is not the best approach, since those adversaries capabilities vary, case to case, and change over time. I would be worried that this advice would quickly go stale or underestimate certain classes of adversaries, since surveillance capabilities tend to trickle down market, and since adversaries that are nominally within the same category can have vastly different capabilities, in practice.

What might work instead would be to organize suggestions around journalistic activities, such as:

-crossing borders & dealing with check points
-meeting & communicating with sources
-handling large document sets securely

etc.

For each journalistic activity, several approaches could be provided, organized by their level of security (for example, it is common for laptops to be searched at the U.S. border; if your laptop is encrypted and you refuse to provide the passphrase, then it may be seized. However, U.S. Customs is not in the habit of forcing people to log into their email accounts, whereas this is common practice when transiting customs in Israel. Therefore, when transiting U.S. customs, it is necessary to have a burner laptop, and to encrypt and upload your files before transiting. In Israel, you will also need a throwaway email account that has plenty of pocket litter - trivial conversations with non-sensitive individuals).

This way, the journalist could use their judgement and pick which security level is appropriate for their situation.

The Gitlab wiki looks pretty ideal, since it's an easy to use version control system in the form of a web app wiki. I suggested Jekyll earlier, as a way to present the finished information, but since Jekyll is designed for blogging, and thus presenting information chronologically, this may not be best. One option that may work better is Read The Docs. It's designed for publishing documentation and plays nicely with most version control systems (including git) on the backend. The SecureDrop documentation is published using this tool, for example.

Gitlab + Read The Docs?

Thoughts?

I had heard of Read The Docs, but never looked into it. That looks like a good system that would work well for us. My only thought was, it looks like it may support markdown, but everything I saw seemed to be in .rst format. I'm not sure that's a huge or showstopping issue. Just have never used it, and wasn't sure how complex and easy it is to pick up (if we're focused on making it simple for novice users to contribute).

I like @ethannorth's suggestion of organizing by task. Umbrella does a little of this already. Aside from "here is generally how to think about security" advice -- do we have anything better than threat modeling for this? -- I think the goal would be to organize the information in the way that matches the questions novice practitioner would pose. And perhaps this is task based.

Though I still wonder where we would put essential context specific stuff, e.g. the difference between US and Israeli customs.

Beyond that, I don't care which tools are used to put this stuff up. Anything with an in-browser editor. I don't care who maintains it either, other than changes should be reviewed by someone (so not open wiki style).

Worth flagging the work of iiLab in trying to wrangle these projects together into a re-use community format and content flow.

https://github.com/iilab/openmentoring-content

Seems to support markdown, although .rst is standard:

https://read-the-docs.readthedocs.io/en/latest/getting_started.html

Hey folks,

Lots of good ideas here. Anyone want to experiment with one or more of the ideas above? I'm doing the same with a preliminary wiki-style FAQ: https://tinfoil.press/t/frequently-asked-questions-wiki/193/1

Not everyone loves wikis. If you do want to try out alternatives / proof of concepts for an article, be sure to share here.