Initial skills documentation — 25 categories, all SKILL.md + references + scripts

This commit is contained in:
root
2026-07-15 17:42:20 -04:00
commit 1b4fcd4427
976 changed files with 188344 additions and 0 deletions
@@ -0,0 +1,34 @@
# Data Broker Removal — Action Plan (Jul 2026)
## Recommendation: Use a paid service
| Approach | Year 1 Cost | Time | Effectiveness |
|----------|------------|------|---------------|
| Manual DIY | $0 | 12-20 hrs initial + 2-4 hr/month | Medium |
| Kanary | **$84/yr** | 2 hrs setup, done | High (continuous) |
| DeleteMe | $129/yr | 2 hrs setup, done | High (premium) |
**Why paid:** Data respawns every 30-60 days. A service continuously re-scans and re-submits removals. Manual approaches fizzle because by the time you finish the 50-site list, the first sites have re-added you.
## Priority Tiers (50 sites)
### Priority 1 — The Big 10 (removal cascades to smaller sites)
Spokeo, Whitepages, Intelius, BeenVerified, TruthFinder, PeopleFinders, Radaris, MyLife, Nuwber, PeekYou
### Priority 2 — 20 high-traffic people-search sites
USSearch, ZabaSearch, CheckPeople, GoLookUp, PublicRecords, SocialCatfish, WhitePagesPrime, Addresses, PhoneNumber, InstantCheckmate, PeopleLooker, PeopleSearchNow, PeopleSmart, PublicReports, USPhoneBook, SearchPeopleFree, That'sThem, WhoIs, Yatedo, InfoTracer
### Priority 3 — 10 background check + public record sites
CriminalPages, FederalPrison, Mugshots, BustedMugshots, JailBase, TexasTribune, VineLink, PACER, UniCourt, Trellis
### Priority 4 — 10 marketing data brokers
Acxiom, Epsilon, Oracle Data Cloud, Experian Marketing, Neustar, Lotame, Merkle, Harte Hanks, BlueKai, Quantcast
## Breach Database Checks
- HaveIBeenPwned — https://haveibeenpwned.com
- Dehashed — https://dehashed.com (15B+ breach records)
- Firefox Monitor — https://monitor.firefox.com
- Google Dark Report — https://one.google.com
## Status
On the todo list as `kanary-setup` (pending user authorization to sign up).
@@ -0,0 +1,39 @@
# ITGC Build-Time Checklist
Keep this checklist in mind whenever deploying a NEW service or making significant infrastructure changes. Not every item applies to every project — use judgement.
## Pre-deployment
- [ ] **Access logging** — Does this service log admin actions? Who did what when?
- [ ] **Least privilege** — Is the API key / service account scoped to minimum permissions? Nothing more?
- [ ] **MFA** — Can this service support MFA for admin access? If not, document the gap.
- [ ] **Secrets** — Are credentials in `.env` (chmod 600), not hardcoded in config files?
- [ ] **Backup** — Is the data backed up independently of the server? How often? To where?
- [ ] **Restore test** — Has the backup been tested by actually restoring? (Quarterly minimum)
## Post-deployment
- [ ] **Document** — Is the deployment captured in the project log?
- [ ] **Access list** — Who has access? (SSH keys, API tokens, admin accounts)
- [ ] **Change ticket** — Is there a record of what was done, why, and by whom?
- [ ] **Runbook** — If this service goes down, does someone know how to bring it back?
## Semi-annual
- [ ] **Access review** — Are all SSH keys still needed? Any terminated employees/contractors still have access?
- [ ] **Token rotation** — Are long-lived API tokens still scoped correctly?
- [ ] **Backup restore test** — Actually restore from backup, not just verify backup ran.
## Current gaps (Jul 2026)
These are documented so we can track closure over time:
| Gap | Target | Status |
|-----|--------|--------|
| MFA on SSH/admin | All admin access | ❌ Missing |
| Access reviews | Quarterly | ❌ Missing |
| Change tickets | Every infra change | ❌ Missing |
| Incident response plan | Written + tested | ❌ Missing |
| Backup restore tests | Quarterly | ❌ Never done |
| Password policy | 14+ chars, rotated, MFA | ❌ Missing |
| Encryption at rest | Sensitive data stores | ❌ Missing |