From Audacity Wiki
This is a work in progress on some security tips. The first section is intended for the main site and is for users downloading software from Audacity/FossHub. It is mainly focused on downloads and hence does not talk about passwords.
- On any site, when downloading, be aware that adverts can sometimes be made to look like the download. For example they may have a button that says 'Download Now' but actually are selling a download for something else. Sometimes these install software that you don't want, or software that makes it look like you need to pay something. On Audacity and our partners FossHub, we work hard to prevent such adverts. However sometimes some do slip through. Review the whole page before clicking.
- When you have a download, check it with https://virustotal.com/, which provides a multi-antivirus URL and File verification service.
- On your machine use an Antivirus and Firewall. We cannot make recommendations, but you can review this website: http://www.av-comparatives.org/
- Keep back ups of any important data. Sadly ransomware is prevalent on the internet, and very profitable for those behind it. Note that ransomware sometimes has a time delay of a few days before it encrypts files, which can make the ransomware harder to spot. Disk drives and USB plugged in whilst the ransomware is active are often affected by the ransomware too, so for example 'time capsule' might not protect you from ransomware as the ransomware could over write that too. Antivirus may help prevent some ransomware.
This section will just be on wiki and is mainly for 'audacity team'.
Logins and passwords
- We STRONGLY suggest users use a different password for each different website you use. No matter how you feel personally about the value your account might provide an attacker, please make all your passwords different.
- Where possible, use a second authentication factor in addition to a username and password. This is usually some information only you know or physically have. Don't have information sent to you by the login provider as an SMS text message because this has recently been deemed unsafe (as those in the telecommunications community already knew).
- When you get a new password that has been automatically generated (e.g. by FossHub), change it.
- Be aware that different email services have different levels of security. Do not associate a relatively insecure email service (such as hotmail) with an account such as WordPress account, that needs to be secure.
- Do not install new modules without checking with Buanzo first. Usually he should do such installation.
- Do not trigger suggested updates from the control panel. Those are for Buanzo to review.
- Keep calm. This is really important. This is the time when you can easily be panicked into making a mistake that makes the problem far worse. Hackers may have set things up in such a way that such a mistake is likely.
- Be paranoid, but kind. Enquiries about the incident may be from hackers looking to get clearer information on what you do and don't know about the incident. Emails may be spoofed and not from whom you think they are from.
- Do not use audacityteam email for anything confidential security related during an incident. If our audacityteam server is being attacked messages may be being read (including private archives) and also could be delayed (e.g. by DDOS).