From Audacity Wiki
This is a work in progress on some security tips. The first section is intended for the main site and is for users downloading software from Audacity/FossHub. It is mainly focused on downloads and hence does not talk about passwords.
- On any site, when downloading, be aware that adverts can sometimes be made to look like the download. For example they may have a button that says 'Download Now' but actually are selling a download for something else. Sometimes these install software that you don't want, or software that makes it look like you need to pay something. On Audacity and our partners FossHub, we work hard to prevent such adverts. However sometimes some do slip through. Review the whole page before clicking.
- When you have a download, check it with https://virustotal.com/, which provides a multi-antivirus URL and File verification service.
Gale 06Aug16: The sentence about "time capsule" below is unclear to me.
- On your machine use an Antivirus and Firewall. We cannot make recommendations, but you can review this website: http://www.av-comparatives.org/
- Keep backups of any important data. Sadly ransomware is prevalent on the internet, and very profitable for those behind it. Note that ransomware sometimes has a time delay of a few days before it encrypts files, which can make the ransomware harder to spot. Disk drives and USB plugged in whilst the ransomware is active are often affected by the ransomware too, so for example 'time capsule' might not protect you from ransomware as the ransomware could overwrite that too. Antivirus may help prevent some ransomware.
This section will just be on wiki and is mainly for 'audacity team'.
Logins and passwords
- We STRONGLY suggest users use a different password for each different website you use. No matter how you feel personally about the value your account might provide an attacker, please make all your passwords different.
- Where possible, use a second authentication factor in addition to a username and password. This is usually some information only you know or physically have. Don't have information sent to you by the login provider as an SMS text message because this has recently been deemed unsafe (as those in the telecommunications community already knew).
- When you get a new password that has been automatically generated (e.g. by FossHub), change it.
- Be aware that different email services have different levels of security. Do not associate a relatively insecure email service (such as hotmail) with an account such as WordPress account, that needs to be secure.
- Do not install new modules without checking with Buanzo first. Usually he should do such installation.
- Do not trigger suggested updates from the control panel. Those are for Buanzo to review.
- Keep calm. This is really important. This is the time when you can easily be panicked into making a mistake that makes the problem far worse. Hackers may have set things up in such a way that such a mistake is likely.
- Be paranoid, but kind. Enquiries about the incident may be from hackers looking to get clearer information on what you do and don't know about the incident. Emails may be spoofed and not from whom you think they are from.
- Do not use audacityteam email for anything confidential and security related during an incident. If our audacityteam server is being attacked messages may be being read (including private archives) and also could be delayed (e.g. by DDOS).
- Our priority is protecting users from malware. We would rather be offline (hit the kill switch) than online and unsure of our status. An incident is not over just because things 'look' OK.
- Any pull request MUST be checked carefully for addition of script to the build process. Script in the build process could be malware that runs on the devs machine.
- Any pull request MUST be checked for security issues. This is particularly so for any pull request that adds some kind of external service to Audacity, such as name-the-tune, check-for-updates, upload podcast....
- We need to be very careful about promoting or linking to 3rd part compiled downloadable effects. These can run arbitrary code.
- We are ALL vulnerable to phishing, particularly spear phishing, even if we think we are not.
- We need security protocols/plans that are robust to one person's main machine and main email having been compromised. Hackers may watch for months before doing anything.