Misc – I Failed the Turing Test

How to Stay Safe Online: Tips for Personal Security

2023-04-202023-09-30VintaMisc

How I learned to "start worrying" and love the illusion of feeling safe.

Digital security and privacy have become more important than ever. With cyber threats constantly evolving, it is crucial to stay up-to-date with best practices and take proactive measures to protect your online presence. This comprehensive guide covers a wide range of security and privacy recommendations for various platforms and scenarios, aiming to help you fortify your digital life.

General

Use a password manager: 1Password or Bitwarden.
- Never reuse passwords.
Don't store real passwords of critical accounts in password managers.
- Instead, store the password altered by a secret rule that only you know.
- Apply to accounts related to your real-world identity or money.
Use different emails and different strong passwords when registering services.
- Use a secure email provider if possible: Proton Mail.
Avoid using your password manager to generate one-time password.
- Instead, use a separate authenticator app: Yubico Authenticator.
- Otherwise, it would become a single point of failure if compromised.
Always enable 2FA (MFA), but avoid SMS-based 2FA if possible.
- Be aware of SIM swap attack.
- Turn off "Cloud Syncing" feature if you're using Google Authenticator.
- Write down backup codes on paper and store them in a safe.
Always use HTTPS.
Use Passkey or security keys.
- You could use your iOS/Android devices or YubiKey.
Don't provide your phone number to any cloud service if possible.
- Even you don't use SMS-based 2FA, your phone number might be used as a "Recovery Method".
Install any security updates as soon as possible.
Don't blindly click on any website you see in your emails or Google search results; they could be scams!
- Instead, add your frequently visited websites to your browser bookmarks.
Carefully review requested permissions when you connect third-party apps to your Google, Twitter, Discord, or other critical accounts.
Do things that can calm your anxiety.
Read Personal Security Checklist.
Read An ultimate list of rules any on-chain survivor should follow to stay safe.

Privacy

Use privacy-friendly VPN: Mullvad.
Read Awesome Privacy.
Read The Hitchhiker's Guide to Online Anonymity.

macOS

Use an application firewall and network monitor: Little Snitch.
Turn on FileVault which provides full disk encryption.
Power off your computer when not in use, in order for the disk to be encrypted.
Avoid quick unlock, such as Touch ID or Face ID.
- Use a long and strong password to unlock your computer.
Automatically lock your screen when idle.
- System Settings > Lock Screen > Require password after screen saver begins or display is turned off
Set one of Hot Corners to "Lock Screen" and always trigger it when you're away from keyboard.
- System Settings > Desktop & Dock > Hot Corners
Disable AirDrop and Handoff.
- System Settings > General > Airdrop & Handoff > Off
Exclude sensitive folders from Spotlight.
- System Settings > Siri & Spotlight > Spotlight Privacy
Don't use any apps that can read your clipboard or what you type.
Don't use third-party input tools.
Create separate browser profiles for different usages.
- One for daily activities.
- One for financial activities, and don't install any extensions other than the password manager for this profile.
- Use Incognito mode.
- Even better: use separate computers.
The fewer browser extensions installed, the better.
- Be aware of developers might sell their extension to someone else.
Use Dangerzone if you are working with PDFs.
Use an ad blocker: uBlock Origin.
Read macOS Security and Privacy Guide.

iOS

Enable Data Protection (Erase all data after 10 failed passcode attempts).
- Settings > Touch ID & Passcode > Erase Data
Change the default PIN of your SIM card.
- Settings > Cellular > SIM PIN > Change PIN
Disable Predictive Text.
- Settings > General > Keyboards > Predictive
- Settings > General > Transfer or Reset iPhone > Reset > Reset Keyboard Dictionary
Turn off AirDrop.
Don't use third-party keyboard apps.
- These apps will be able to access everything that you type: passwords, messages, search terms etc.
Restart your device regularly, ex: once a week.
Rapidly press the side button 5 times to enter Emergency SOS mode.
- Under Emergency SOS mode, your passcode is required to re-enable Touch ID or Face ID.
- Use it when your device is about to be taken away.
Read Telegram & Discord Security Best Practices

Crypto

For large amounts of assets, always store them in hardware wallets or multisig wallets.
Use multiple hardware wallets from different vendors; don't put all your eggs in one basket.
- Some should only hold assets and never interact with DeFi apps.
- Some are used for trading or DeFi stuff.
- Or use an old phone to create wallets, and NEVER connect it to the Internet.
Use hardware wallet's hidden wallet with passphrase.
Write your seed phrases on paper or metal, and store them in a (physical) safe.
- Modify the seed phrase with a secret rule that only you know.
- Keep at least 2 copies in different locations.
- Never store a hardware wallet's seed phrase digitally, NEVER.
Verify backups of your seed phrases every 3 months.
Use multisig wallets: Gnosis Safe.
Only store a small amount of assets in hot wallets.
- If you follow this rule, it might be acceptable to store the seed phrase in a password manager.
- Furthermore, encrypt the seed phrase before storing it.
Rotate your hot wallets regularly.
When transferring tokens to a new address, always send a small amount first, and make sure you can transfer out.
- It may waste gas, but it's better than losing funds.
Add addresses to contacts or whitelists.
Always approve tokens with the exact amount, never use infinite (type(uint256).max) approval.
- It may waste gas, but it's better than losing funds.
Always check the slippage setting before swapping.
Review your token approvals regularly: Revoke.cash.
- Before revoking an approval, you should check the original approve() tx is initiated by you.
- Attacker can create a fake ERC-20 token and set allowance for you.
Signing could be dangerous.
- If it's a clear, human-readable message, it's probably safe to sign.
- If it contains a large amount of data, read carefully before signing.
- Especially, there are "permit" signatures.
Use browser extensions or wallets that can simulate/preview transactions.
- AegisWeb3
- Wallet Guard
- Stelo
- Scam Sniffer
- Raby
Learn to decode a transaction.
- Search the first 10 characters on Ethereum Signature Database
- Simulate the transaction raw data on Tenderly.
Use Etherscan's Watch List to monitor your account activities.
- Though the notification might be a bit delayed, it's not real-time.
Website (domain or frontend code) can be hacked, even if smart contracts are secure.
Read Blockchain Dark Forest Selfguard Handbook.
Read officercia.eth's articles.

Developer

Always create API keys with minimum permissions and set a short expiration time if possible.
Create distinct API keys for different purposes, services, or machines.
- Deactivate the API key if you're not using it.
If you're unsure, run the program inside a non-root container.
The fewer IDE/editor plugins installed, the better.
Enable GitHub Copilot only for specific languages or files.
- Especially, disable it for .env files or any files that may contain sensitive data.
Sign your Git commits.

Wi-Fi

Always change the default username/password of your router or IoT devices.
Keep your router firmware up-to-date.
Only use WPA3-Personal or higher.
Disable remote access on your router.
- If you really want to visit your router's management console through Internet, set IP whitelist at least.
Disable WPS (Wi-Fi Protected Setup) which is vulnerable to brute-force attack.
Avoid using public Wi-Fi.

Physical

Cover your laptop's camera with a sticky note.
Be cautious when plugging USB devices into your computer.
- Don't change devices from your computer if possible.
Be vigilant for keyloggers.
- Bring your own keyboard and USB hub when necessary.
Shred or redact sensitive documents.
- Instead of simply disposing of them in the trash.
Don't reveal information during "inbound" calls.
- Only share sensitive data during outbound calls or communications that you initiate.
Use a certified and well-protected extension cord.
Get fire and earthquake insurance for your house.

你都去哪裡看技術文章？

2015-09-012019-10-22VintaMisc

因為前陣子跟朋友們一起弄了一個技術週刊：CodeTengu Weekly 碼天狗週刊，每個禮拜在考慮要放哪些內容的時候，突然覺得：「你都去哪裡看技術文章？」或許也會是個有價值而且實用的主題，所以乾脆就來跟大家分享一下，我覺得不錯的每日資訊來源。

你可以訂閱的週報

五花八門

CodeTengu Weekly - 內容包含 Web 前端後端、Mobile app 開發、DevOps、機器學習
Hacker Newsletter - Hacker News 的每週精華版
码农周刊 - 开发者头条的每週精華版
湾区日报 - 講技術的部分其實不多，大部份說的是創業、管理、UX 之類的主題

程式語言

資料庫

DevOps

Machine Learning

你可以瀏覽的網站

如果要推薦值得一看的網站或網誌，說八年都說不完，而且現在大家也都不用 RSS reader 了（真的很可惜，明明就很方便），這裡就只提幾個「內容聚合網站」（news aggregator）。你可以在這些網站上 follow 特定的主題，例如 Python、Golang、Apache Cassandra、Docker 之類的，他們就會自動把相關的文章推送給你，比較特別的是，網站還會根據你的個人喜好和你在 Twitter 上關注的對象來調整推送給你的內容。

我最早用過這一類的服務是 Zite，但是直到它老是推薦「印度一條六公尺的巨蟒（Python）吞食了一個人類小孩」的新聞給我之後，我就把它刪掉了。雖然說 Zite 已經被收購，整合進 Flipboard 裡，但是我已經對它沒信心啦。

2015.09.06 更新：

你可以關注的人

以下列出的是許多喜歡在 Twitter 上分享技術文章而且推文頻率又比較高的開發者：

出沒於 Twitter

@vinta - 像這樣幽默又率性的 developer 在這個世道也是不多的，大家可以關注一下
@codetengu - 碼天狗的推特帳號
@c9s
@caterpillar
@dlackty
@Evan_Lin
@ferrari_tw
@fukuball
@gslin
@honglong0420
@hiroshiyui
@hsatac
@ihower
@ingramchen
@jaceju
@jserv
@kakashiliu
@keitheis
@lovecankill
@othree
@pahudnet
@ruanyf
@saiday
@siuying
@timdream
@tzangms
@uranusjr
@WanCW
@william_yeh
@yorkxin
@zmx

出沒於 Facebook

陳上進 - 是的，就是這篇文章的作者本人
CodeTengu 碼天狗 - 碼天狗的 Facebook Page
Ant Yi-Feng Tzeng
Chia-liang Kao
Ian Tsai
Mosky Liu
Will Huang

Computer Names for Sci-Fi Maniac Developers

2015-06-182023-05-19VintaMisc

The list is collected from books I read, movies I watched, and video games I played.

ADA (from Zone of the Enders: The 2nd Runner)
Albedo (from Hyperion) --> used for one of my code projects
Asurada (from Future GPX Cyber Formula)
BrainPal (from Old Man's War)
ctOS (from Watch Dogs)
Deep Thought (from The Hitchhiker's Guide to the Galaxy)
Eddie (from The Hitchhiker's Guide to the Galaxy)
EDI (from Mass Effect) --> used for one of my code projects
EVA-00 (from Neon Genesis Evangelion)
EVA-01 (from Neon Genesis Evangelion)
EVA-02 (from Neon Genesis Evangelion)
Fine Till You Came Along (from Culture: Look to Windward)
GERTY 3000 (from Moon)
GLaDOS (from Portal)
HAL 9000 (from 2001: A Space Odyssey) --> used for one of my code projects
Jane (from Ender's Game: Speaker for the Dead) --> used for My AirPods
JARVIS (from Iron Man)
KOS-MOS (from Xenosaga)
Limiting Factor (from The Culture: The Player of Games)
MAGI (from Neon Genesis Evangelion) --> used for my iPad
Melchizedek (from Gunnm Last Order)
Mike (from The Moon Is a Harsh Mistress)
Of Course I Still Love You (from The Culture: The Player of Games)
Pip-Boy 3000 (from Fallout) --> used for my iPhone
Project 2501 (from Ghost in the Shell)
Samantha (from Her)
Skynet (from The Terminator)
SAL-9000 (2010: The Year We Make Contact)
Sol-9000 (from Xenogears)
Sophon (from The Three-Body Problem)
Tachikoma (from Ghost in the Shell)
TARS (from Interstellar)
TechnoCore (from Hyperion) --> used for my Macbook Pro
Ummon (from Hyperion) --> used for one of my code projects
VIKI (from I, Robot)
Wheatley (from Portal)

ref:
https://en.wikipedia.org/wiki/List_of_fictional_computers
https://en.wikipedia.org/wiki/Artificial_intelligence_in_fiction

MkDocs: Deploy your Markdown documents on GitHub Pages

2015-06-072019-10-22VintaMisc

MkDocs is a static site generator that builds modern webpages based on your Markdown documents and a simple YAML file.

ref:
https://www.mkdocs.org/

Here is the website which is generated by MkDocs in this post:
https://awesome-python.com/
https://github.com/vinta/awesome-python

Installation

$ pip install mkdocs

Configuration

in mkdocs.yml

site_name: Awesome Python
site_url: https://awesome-python.com
site_description: A curated list of awesome Python frameworks, libraries and software
site_author: Vinta Chen
repo_name: vinta/awesome-python
repo_url: https://github.com/vinta/awesome-python
theme:
  name: material
  palette:
    primary: red
    accent: pink
extra:
  social:
    - type: github
      link: https://github.com/vinta
    - type: twitter
      link: https://twitter.com/vinta
    - type: linkedin
      link: https://www.linkedin.com/in/vinta
google_analytics:
  - UA-510626-7
  - auto
extra_css:
    - css/extra.css
nav:
  - "Life is short, you need Python.": "index.md"

There are more themes:

in Makefile

site_install:
    pip install -r requirements.txt

site_link:
    ln -sf $(CURDIR)/README.md $(CURDIR)/docs/index.md

site_preview: site_link
    mkdocs serve

site_build: site_link
    mkdocs build

site_deploy: site_link
    mkdocs gh-deploy --clean

Custom Domain for GitHub Pages

in docs/CNAME

awesome-python.com

After deploying your GitHub Page, just pointing your domain to following IPs with DNS A records:

185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153

ref:
https://help.github.com/articles/setting-up-an-apex-domain/#configuring-a-records-with-your-dns-provider
https://help.github.com/articles/troubleshooting-custom-domains/#https-errors

Automatic Deployment Via Travis CI

You need to

language: python

python:
  - "3.6"

script:
  - cp README.md docs/index.md
  - mkdocs build

deploy:
  provider: pages
  local-dir: site
  skip-cleanup: true
  keep-history: true
  github-token: $GITHUB_TOKEN
  on:
    branch: master

ref:
https://docs.travis-ci.com/user/deployment/pages/

Upload your Java Artifacts to Maven Central Repository

2014-11-232019-10-22VintaMisc

你需要：

一個使用 Maven 管理的 Java project（廢話）
一個 GPG key（deploy 的時候會用來 sign 要提交的 .jar）
一個 Sonatype JIRA 的帳號
開一張 JIRA 的 ticket 告訴 Sonatype 的人你要發佈 library，告知他們你的 groupId
按照 Requirements 的指示完善你的 pom.xml
deploy 到 snapshot repository
deploy 到 staging repository
在 OSSRH 的 Staging Repositories 把你剛剛 deploy 的 library 給 close 掉，這樣才算是 release
回到那張 ticket，通知 Sonatype 讓他們把你的 library 同步到 Maven Central Repositir

最後一個步驟只有第一次 release 的時候才需要
之後 release 就會自動同步了

Requirements

http://maven.apache.org/guides/mini/guide-central-repository-upload.html
http://central.sonatype.org/pages/requirements.html
http://central.sonatype.org/pages/ossrh-guide.html
http://central.sonatype.org/pages/apache-maven.html
http://central.sonatype.org/pages/releasing-the-deployment.html

參考 Pangu.java 的 pom.xml
https://github.com/vinta/pangu.java/blob/master/pom.xml

Deployment

You need following plugins:

maven-source-plugin
maven-javadoc-plugin
maven-gpg-plugin
nexus-staging-maven-plugin
maven-release-plugin

deploy 之前
必須確定你的 local 的程式碼跟 scm 的程式碼是同步的
如果你要發布 1.0.0 版本的話
你的 pom.xml 裡要寫 1.0.0-SNAPSHOT
然後執行：

# deploy to snapshot repository
$ mvn clean deploy

你可以在 https://oss.sonatype.org/ 搜尋到
SNAPSHOT 版本測試都沒問題之後（當然你要先設定讓 Maven 能夠下載 SNAPSHOT 版本的 libraries）
就可以正式 release 了：

# cleanup for the release
$ mvn release:clean

# 要回答一些關於版本號的問題
# 它會自動幫你新增一個 tag 並且把 pom.xml 裡的 `<version>` 改成下個版本
$ mvn release:prepare

# deploy to staging repository
# 然後 Maven 會把上一步新增的 git tag 和 pom.xml 的變更直接 push 到 GitHub
$ mvn release:perform

Maven 會自動在 library 進到 staging repository 的時候把 -SNAPSHOT 字串拿掉

（第一次 release 才需要以下的動作）

然後你就可以在 https://oss.sonatype.org/#stagingRepositories
找到你剛剛 deploy 的 library
通常長得像是 wsvinta-1000（前面是 groupId）
要把它 close
然後再 release

除了第一次 release 要去 ticket 留言之外
之後 release 就會自動同步到 Maven Central Repository
不過通常會需要等一陣子才會在 Maven 上看到

ref:
http://dev.solita.fi/2014/10/22/publishing-to-maven-central-repository.html
http://lkrnac.net/blog/2014/03/deploy-to-maven-central/
http://kirang89.github.io/blog/2013/01/20/uploading-your-jar-to-maven-central/
http://superwang.me/2014/03/22/publish-your-library-to-maven-central-repository-part-1/
http://www.kongch.com/2013/05/deploy-to-central-repo/

如果你在 release 的過程中出了錯
要重新 release 的話
你得 revert 你的 git commit 到執行 mvn release:prepare 之前
然後再重新跑一次