fix: update contact details

.forgejo/workflows/publish.yaml

@@ -15,6 +15,8 @@ jobs:
         with:
           submodules: true
       - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
       - run: npm install -g bnycdn
       - name: Setup Hugo
         uses: https://guardianproject.dev/actions/actions-hugo@v3

content/abuse.md

@@ -5,12 +5,13 @@ description = ''
 +++
 
 You can report abuse of a domain name or submit other concerns related to our registrar services by emailing
-support@sr2.uk, or by telephone to [+44 1224 900 202](tel:+441224900202). Please make sure to include the domain name involved and as much
-detail as possible about your concern.
+support@sr2.uk, or by telephone to [+44 333 1127 999](tel:+443331127999).
+Please make sure to include the domain name involved and as much detail as possible about your concern.
 
-If you are reporting website content, please use the same contact details as above. When you do so, please be sure to
-describe the content clearly and provide its location on the website, for example a direct link to an image or video. We
-may not be able to process your report without a specific URL.
+If you are reporting website content, please use the same contact details as above.
+When you do so, please be sure to describe the content clearly and provide its location on the website, for example a
+direct link to an image or video.
+We may not be able to process your report without a specific URL.
 
 To report abuse relating to our IP resources, please use the contact details
-published [in the RIPE database](https://apps.db.ripe.net/db-web-ui/lookup?source=ripe&key=ACRO27563-RIPE&type=role).
+published [in the RIPE database](https://apps.db.ripe.net/db-web-ui/lookup?source=ripe&key=ACRO27563-RIPE&type=role).

content/complaints.md

@@ -5,7 +5,7 @@ description = ''
 +++
 
 If you are not happy with our services or have any complaint then you must tell us by email message to support@sr2.uk,
-or by telephone to [+44 1224 900 202](tel:+441224900202).
+or by telephone to [+44 333 1127 990](tel:+443331127990).
 
 We will respond within 3 working days and attempt to resolve this promptly, however in case a dispute is not settled as
 set out above, we hope you will agree to attempt to resolve it by engaging in good faith with us in a process of

content/contact/_index.md

@@ -15,6 +15,3 @@ Mon-Fri 0900 to 1700 GMT/BST
 
 #### Map
 {{< address-map >}}
-
-#### Get in touch
-{{< feedback-form fallback="Our contact form requires javascript. Otherwise, you can send a mail to contact@sr2.uk." >}}

content/deliveries.md

@@ -7,7 +7,7 @@ address = '''Rear of 499 Union Street
 Justice Mill Lane
 Aberdeen
 AB11 6EQ'''
-telephone = "+441224900202"
+telephone = "+443331127990"
 gln = "5060979190039"
 +++
 
@@ -15,7 +15,7 @@ gln = "5060979190039"
 
 Access to the delivery point is via Justice Mill Lane (GPS postcode: AB11 6EQ).
 Drivers must pass the entrance to ensure that the car park is clear before reversing.
-If in any doubt, drivers must phone the office on [01224 900 202](tel:+441224900202) for assistance reversing into the
+If in any doubt, drivers must phone the office on [0333 1127 990](tel:+443331127990) for assistance reversing into the
 car park.
 
 There are 7 private car parking spaces on the right-hand side of the car park (as viewed from Justice Mill Lane).

content/info/communication-strategy.md

@@ -5,7 +5,7 @@ title = "Communication Strategy"
 [params]
     background = "images/backgrounds/new_tower.jpg"
 +++
-# Communication technology for challenging environments.
-### Software and systems to ensure your messages get through when they are the most critical.
+# Secure, robust and resilient technology for civil society.
+### We build open source systems and processes to support human rights defenders, journalists, community groups and activists.
 
 {{< primary-button name="Get in touch" url="/contact" icon="arrow-right" >}}

content/policies.md

@@ -0,0 +1,8 @@
+---
+title: Company Policies
+date: 2026-04-22T11:00:00+00:00
+type: page
+---
+
+* [Password and Authentication Policy](/policies/password_auth/)
+* [Public WiFi Policy](/policies/public_wifi/)

content/posts/2025-using-tls-ech-from-python.md

@@ -17,6 +17,8 @@ In this post I will describe the flow of a connection using Encrypted Client Hel
 and present a working code example using a fork of CPython built with DEfO project's OpenSSL fork to connect to
 ECH-enabled HTTPS servers.
 
+<!--more-->
+
 To understand why this is an issue, let's take a step back and look at how websites are hosted.
 Many websites are hosted on shared servers, which means that a single server machine is responsible for serving
 multiple, possibly hundreds or thousands, of websites.

content/posts/2026-butter-box-connectivity/index.md

@@ -11,6 +11,9 @@ tags = ['local','offline','wifi-halow','lora']
 We have just wrapped up a project with the [Guardian Project team](https://guardianproject.info/) exploring options for
 connectivity to allow for updates to software and content on the
 [Butter Box](https://likebutter.app/) and for communications between users of multiple Butter Boxes.
+
+<!--more-->
+
 We have explored two technologies:
 
 * [LoRA](#lora)

content/posts/2026-butter-box-portal/index.md

@@ -1,7 +1,7 @@
 +++
 title = 'Butter Box Portal Improvements'
-date = 2026-04-15T20:00:00-00:00
-lastmod = 2026-04-15T20:00:00-00:00
+date = 2026-04-15T16:00:00-00:00
+lastmod = 2026-04-15T16:00:00-00:00
 draft = false
 tags = ['local','offline','butterbox', 'deltachat']
 [params]
@@ -12,6 +12,8 @@ As part of our latest development project with the [Guardian Project team](https
 re-engineered the [Butter Box](https://likebutter.app/) portal interface. This post describes the design choices and improvements within the new 
 portal.
 
+<!--more-->
+
 ## Portal tech stack 
 
 Previously, the interface was a static site built with [Jekyll](https://jekyllrb.com/), which offered no customisation 

content/posts/2026-cyber-essentials/index.md

@@ -0,0 +1,53 @@
++++
+title = 'SR2 Communications Achieves Cyber Essentials Certification'
+date = 2026-05-03T09:20:00-00:00
+lastmod = 2026-05-03T09:20:00-00:00
+draft = false
+tags = ['security', 'audit']
+[params]
+  author = 'Iain Learmonth'
++++
+
+We're pleased to announce that SR2 Communications has achieved
+[Cyber Essentials](https://www.ncsc.gov.uk/cyberessentials/overview) certification, the UK government's baseline
+standard for cyber security.
+This milestone represents an important addition to our existing security practices and reinforces our dedication to
+protecting the organisations we serve.
+
+<!--more-->
+
+<figure>
+<img src="/images/2026/cyber-essentials.png" alt="Certificate of Assurance - SR2 Group Limited, incorporating SR2 Communications Limited and SR2 Professional Services Limited, complies with the requirements of the Cyber Essentials scheme">
+<figcaption>Our Cyber Essentials Certificate</figcaption>
+</figure>
+
+Cyber Essentials is a government-backed certification scheme developed by the National Cyber Security Centre (NCSC).
+It establishes five core technical controls designed to prevent the most common cyber security threats.
+According to NCSC, organisations with this certification are protected against approximately 80% of the most common
+cyber attacks that they have observed.
+
+We've always had a strong focus on security (it's the S in SR2!) and have always maintained rigorous security practices
+in our software development and infastructure hosting including external audits of application code and periodic
+penetration testing of our infrastructure. These practices remain in place and will continue to provide project-specific
+assurance. However, Cyber Essentials addresses something equally critical: the foundational security of our
+organisation.
+
+While code audits and pentests examine specific systems and software, Cyber Essentials evaluates how we operate as an
+organisation, covering five primary areas:
+
+* Boundary firewalls and internet gateways
+* Secure configuration
+* User access control
+* Malware protection
+* Patch management
+
+This certification ensures that the foundation upon which our technical work rests is equally secure. The organisations
+we work with include free software projects, charities, non-profits, advocacy groups, and the media.
+They often handle sensitive data related to vulnerable populations, campaign strategies, and confidential stakeholder
+information. They need partners they can trust.
+
+For those partners operating with limited resources, knowing that their technology partners meet recognised security
+standards removes one more concern from their already demanding work.
+
+If your organisation is looking for a technology partner that understands your mission and takes security seriously,
+we'd welcome you to [get in touch](/contact).

content/posts/2026-hiring-python-developer/index.md

@@ -12,6 +12,8 @@ SR2 Communications develops technology to support individuals, journalism public
 with their digital security needs. This ranges from secure hosting of an off-the-shelf application to bespoke
 development of novel software to fill a niche requirement.
 
+<!--more-->
+
 We are searching for a Python developer to join our team to work on a backend application.
 The application will use the FastAPI framework and communicate with a PostgreSQL database and third-party APIs.
 The application uses OpenID Connect for authentication.

content/posts/2026-link-new-home/index.md

@@ -0,0 +1,34 @@
++++
+title = 'To Our CDR Link Users'
+date = 2026-05-18T13:50:00-00:00
+lastmod = 2026-05-18T13:50:00-00:00
+draft = false
+tags = ['link']
+[params]
+  author = 'Ana Custura'
++++
+
+SR2 Communications has been the deployment lead for the Center for Digital Resilience (CDR) Link project over the last five years. We are a small team based in Scotland, and have been part of CDR Link since it was just an idea and have seen it evolve into a product that many in our community have come to rely on. 
+
+We were saddened to hear that the Center for Digital Resilience will be closing at the end of December 2026, and have taken a moment to examine what role we can play in the sustainability of hosting, maintaining, and deploying CDR Link.
+
+Since 2021, we have provided deployment and front-line day-to-day support across CDR’s global user community. We now also maintain the secure hosting infrastructure that safeguards Link user data. Our infrastructure, internal policies and procedures have been audited by external parties.
+
+Outside of this community, SR2 is a secure software and communications services organization that specializes in designing secure, resilient communications infrastructure for clients in government, news media, and civil society. We deploy web mirrors, bridges, Onion Services, and domain hosting in the Internet Freedom space.
+
+**Following a discussion with CDR and their board, we have agreed to become the new home for CDR Link.** 
+
+We do not expect your day-to-day operations and experience to change during this transition. We hope to continue seeing you virtually at our helpdesk and providing the same level of service to all of our partners. As a team, we have many exciting new goals and ambitions for the project, but we want to ensure they all align with your exact needs. As this transition unfolds, we are eager to work with our users to ensure we are all on the same team.
+
+Rest assured, we are committed to keeping Link open source and will keep working to improve it. We are also actively seeking donor support to help ensure the project's long-term sustainability. Over the next few months, we will be releasing updates to keep you aware of any potential changes, goals and progress towards a continued sustainable future of Link. 
+
+If you’d like to connect over a call before you make any further decisions, please reach out. We’d be happy to chat! You can use one of the following channels:
+
+ - Email us at contact@sr2.uk
+ - WhatsApp/Signal at +44 7421 011 975
+
+For encrypted email, use our OpenPGP key: <a href="/helpdesk.asc"><code>1135 3E54 83C7 152B 165C 46A7 9CE7 365E C2E1 4728</code></a>
+
+<img src="/images/2026/contact_banner.png" style="width: 100%;" alt="Contact us on WhatsApp or Signal with phone number +447421011975.">
+
+We look forward to continuing to work with this community!

content/posts/2026-open-source/index.md

@@ -0,0 +1,74 @@
++++
+title = 'Why Open Source?'
+date = 2026-05-12T12:00:00-00:00
+lastmod = 2026-05-12T12:00:00-00:00
+tags = ['open source']
+[params]
+  author = 'Iain Learmonth'
++++
+
+All of our development efforts at SR2 Communications are released under an open source licence.
+This is often a condition of the grants that fund our work but we don't just use the licences to meet contractual
+requirements. We strongly believe that open source software is the best way to approach the technical needs of
+civil society organisations.
+
+Kerckhoffs's Principle is one guiding idea in this approach.
+The principle holds that a cryptosystem should be secure, even if everything about the system, except the key, is public
+knowledge[^1].
+Kerckhoffs's principle was later phrased by the American mathematician Claude Shannon as "the enemy knows the system".
+
+This principle forces us to build software that would withstand a source code leak because it's already open.
+We cannot hide security flaws behind obscurity.
+Every algorithm, every protocol decision, every line of networking code must be robust enough for expert scrutiny.
+When vulnerabilities are found, and they sometimes are, they're found by friendly researchers who report them, rather
+than by adversaries who exploit them silently.
+
+This auditability also helps us build trust.
+When our code is fully auditable, users can verify exactly what our software does, and crucially, what it doesn't do.
+They can confirm we're not logging their activity, not inserting backdoors, not collaborating with adversaries.
+This trust is foundational.
+Without it, users won't risk using our tools, and the tools become useless.
+
+When we produce censorship circumvention tools, we are building in a context where there is already distrust.
+Censorship cannot exist without surveillance.
+To block content, authorities must first monitor what users are accessing.
+This surveillance creates a chilling effect: even when censorship isn't actively enforced, the threat of being watched
+leads to self-censorship.
+Users hesitate to search for sensitive topics, search for alternative news sources, or communicate openly.
+We must circumvent not only the censorship imposed technically, but the self-censorship imposed by the threat of
+surveillence.
+
+Funding for internet freedom work can be unpredictable. Grant cycles end. Priorities shift.
+If a funding gap forces us to halt development, open source ensures continuity is possible.
+Other organisations can pick up where we left off without needing any permission from us.
+They can maintain the software, apply security patches, and keep services running for users who depend on them.
+
+Even when funding is stable we cannot be everywhere at once.
+Our team has expertise in specific regions and network conditions, but censorship takes different forms across the
+world.
+Deep packet inspection, for example, may be implemented differently in different regions but if we have an open source
+framework for defeating it, we enable others to adapt our tools for their local contexts.
+A developer in a region we've never considered can fork our repository, modify protocols to evade their specific regional
+environment, and deploy it for use.
+
+Our open approach invites contributions from a global community of security researchers, computer scientists, and
+censorship measurement specialists.
+These academics scrutinise our cryptography, suggest protocol improvements, and identify vulnerabilities we might have
+missed.
+They publish papers that advance the entire field, and we incorporate their findings back into our codebase.
+This virtuous cycle makes our tools stronger than any closed-source alternative could be.
+
+We see open source as a strategic necessity.
+It builds user trust in an environment of surveillance and self-censorship.
+It multiplies our impact through decentralised adaptation.
+It harnesses global expertise for continuous improvement.
+It enforces genuine security that withstands scrutiny.
+And it ensures our mission endures, regardless of what happens to our organisation.
+
+The code we write today may outlast us. That's by design.
+
+[^1]: Kerckhoff described a number of design rules for military ciphers in 1883, and there is another principle that we
+also strongly agree with (translated from
+[the original French text](https://petitcolas.net/kerckhoffs/crypto_militaire_1.pdf)): "given the circumstances in which
+it is to be used, the system must be easy to use and should not be stressful to use or require its users to know and
+comply with a long list of rules".

content/services/dns.md

@@ -0,0 +1,35 @@
+---
+title: DNS for Civil Society
+lastmod: 2026-04-12T15:00:00+01:00
+---
+
+We offer a DNS resolver for use by civil society organisations to protect their devices against malware, spyware, and
+other attacks. Attempts to look up domain names that have been seen used as part of attacks will fail stopping the
+attacker and preventing data loss or other systems compromise.
+
+The status of this service is currently **experimental** and feedback is welcomed.
+
+### How to use
+
+Configure your system to use the following IP addresses for DNS resolution:
+
+* 144.76.160.194
+* 2a01:4f8:2210:23ea::4
+
+### False positives
+
+Occasionally, we will have false positives where a legitimate domain name is blocked accidentally. We hope these to be
+less frequent over time. If you find a domain that is blocked that shouldn't be, please report this to
+[contact@sr2.uk](mailto:contact@sr2.uk).
+
+### Roadmap
+
+We are always looking for additional threat intelligence feeds to integrate with our existing feeds. In the future
+we hope to also offer additional IP addresses for different combinations of feeds (e.g. blocking malware, blocking
+advertisements). We also hope to offer anycast addresses to improve the speed of the resolver.
+
+### Support
+
+This services is provided free of charge for use by civil society organisations, however we appreciated donations
+to help cover our running and development costs. You can donate via our
+[Open Collective](https://opencollective.com/sr2comm) page.

content/support.md

@@ -1,6 +1,6 @@
 +++
 title = 'Support'
-date = 2026-02-03T08:00:00-07:00
+date = 2026-05-03T10:30:00-00:00
 description = 'Customer support contact methods and service level objectives.'
 type = "page"
 +++
@@ -9,6 +9,8 @@ You can get support directly from our staff.
 For most customers the most efficient way to see your issue resolved will be to contact us via our support system or by
 email to contact@sr2.uk.
 
+OpenPGP fingerprint: [`1135 3E54 83C7 152B 165C 46A7 9CE7 365E C2E1 4728`](/helpdesk.asc)
+
 Below you can also find additional options for support, and what you can expect when you contact us.
 
 ### 1. Service Level Objective
@@ -24,7 +26,7 @@ calculating the start date of any notice period any pro-rata amounts to be charg
 ### 2. Alternative contact methods
 
 In urgent cases, or if required for accessibility reasons, you may contact us by telephone on
-[+44 (0)1224 900 202](tel:+441224900202) between 10am and 5pm on working days.
+[+44 333 1127 999](tel:+443331127999) between 10am and 5pm on working days.
 If your request is not urgent, we will log your issue within our support system to be resolved at the same speed as if
 it had been reported via email. If your use of telephone support is excessive we may ask you to purchase a support plan.
 

content/visiting.md

@@ -6,7 +6,7 @@ address = '''499 Union Street
 2nd Floor
 Aberdeen
 AB11 6DB'''
-telephone = "+441224900202"
+telephone = "+443331127990"
 gln = "5060979190022"
 draft = false
 +++

hugo.toml

@@ -23,9 +23,9 @@ defaultContentLanguage = 'en'
 
 [params.contact]
   methods = [
-    {name = 'Telephone', display = '+44 (0)1224 900 202', link = 'tel:+441224900202'},
+    {name = 'Telephone', display = '+44 (0)333 1127 990', link = 'tel:+443331127990'},
     {name = 'Email', display = 'contact@sr2.uk', link = 'mailto:contact@sr2.uk'},
-    {name = 'Fax', display = '+44 (0)1224 900 284', link = 'tel:+441224900284'}
+    {name = 'Fax', display = '+44 (0)333 1127 998', link = 'tel:+443331127998'}
   ]
 
 [params.feedback]
@@ -60,6 +60,7 @@ NCAGE: U2G06'''
     {text = 'Terms and Conditions', href = '/terms'},
     {text = 'Privacy Policy', href = '/privacy'},
     {text = 'Complaints Policy', href = '/complaints'},
+    {text = 'Other Policies', href='/policies'},
   ]
 
 [languages.en.params.footer.col3]
@@ -67,7 +68,9 @@ NCAGE: U2G06'''
     {title = 'Social'},
     {text = 'Open Collective', icon = 'circle', href='https://opencollective.com/sr2comm'},
     {text = 'Git', icon = 'git-branch', href = 'https://guardianproject.dev/sr2'},
+    {text = 'Bluesky', icon = 'at-sign', href = 'https://bsky.app/profile/sr2.uk'},
     {text = 'LinkedIn', icon = 'linkedin', href = 'https://www.linkedin.com/company/sr2uk/'},
+    {logo = 'images/footer/essentials.png', href = "/cyber-essentials.pdf"},
   ]
 
 [params.styles]

layouts/_partials/home.html

@@ -6,13 +6,6 @@
 
 <div class="divider"></div>
 
-{{ $ctx := dict
-	"page" .
-	"title" (T "Our Team")
-	"content" (partial "team.html" .)
-}}
-{{ partial "flex-section.html" $ctx }}
-
 {{ $ctx := dict
   "page" .
   "title" (T "Our Partners")

policies/Justfile

@@ -0,0 +1,8 @@
+update:
+    #!/usr/bin/env bash
+    for file in *.bs; do
+        specname="${file%.bs}"
+        mkdir -p "../static/policies/${specname}/"
+        bikeshed spec "${file}" "../static/policies/${specname}/index.html"
+    done
+

policies/biblio.json

@@ -0,0 +1,8 @@
+{
+  "EFF-DICE": {
+    "href": "https://www.eff.org/dice",
+    "title": "EFF Dice-Generated Passphrases",
+    "publisher": "Electronic Frontier Foundation",
+    "source": "https://www.eff.org/dice"
+  }
+}

policies/copyright.include

@@ -0,0 +1,3 @@
+&copy; <a href="https://www.sr2.uk/">SR2 Communications Limited</a>.
+This document is licensed under <a href="https://creativecommons.org/licenses/by/4.0/">CC BY 4.0</a>.
+<img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg" alt="" style="max-width: 1em;max-height:1em;margin-left: .2em;" no-autosize><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg" alt="" style="max-width: 1em;max-height:1em;margin-left: .2em;" no-autosize>

policies/header.include

@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+  <title>[TITLE]</title>
+  <style data-fill-with="stylesheet">
+  </style>
+  <style>
+
+  </style>
+</head>
+<body class="h-entry">
+<div class="head">
+  <p style="background-color: #000; padding: 10px; font-size: large; font-weight: bold; color: #fff; float: right;">TLP:CLEAR</p>
+  <img src="https://www.sr2.uk/images/logo.png" alt="SR2 Communications Limited" width="400" style="margin-bottom: 10px;">
+  <h1 id="title" class="p-name no-ref">[TITLE]</h1>
+  <h2 id="subtitle" class="no-num no-toc no-ref">Draft for Approval by Company Directors,
+    <span class="dt-updated"><span class="value-title" title="[CDATE]">[DATE]</span></span>
+  </h2>
+  <div data-fill-with="spec-metadata"></div>
+  <div data-fill-with="warning"></div>
+  <p class='copyright' data-fill-with="copyright"></p>
+  <hr title="Separator for header">
+</div>
+
+<div class="p-summary" data-fill-with="abstract"></div>
+<div data-fill-with="at-risk"></div>
+
+<nav data-fill-with="table-of-contents" id="toc"></nav>
+<main>

policies/password_auth.bs

@@ -0,0 +1,147 @@
+<h1>Passwords and Authentication Policy</h1>
+<pre class="metadata">
+Status: DREAM
+Local Boilerplate: header yes, copyright yes, defaults yes
+Boilerplate: status no
+TR: https://www.sr2.uk/policies/password-auth/
+Shortname: password-auth
+Complain About: accidental-2119 yes
+No Editor: true
+!Version: 1.0
+Abstract: A policy defining an effective authentication management procedures when conducting company-related business.
+</pre>
+
+# Objective # {#objective}
+
+This policy defines an effective authentication management procedures when conducting company-related business and
+includes the:
+
+* issuing and selection of strong authentication methods and credentials;
+* protection of secret authentication credentials;
+* frequency of change in terms of authentication credentials;
+* reporting of any suspected breach or lost authentication credentials;
+* use of authentication methods with third party systems (including cloud technology).
+
+Authentication is a key method of securing our information – choosing weak authentication methods, or failing to keep
+the authentication credentials secure, places the confidentiality of our data at risk.
+
+# Scope # {#scope}
+
+The scope of the policy covers all individuals either employed or contracted to work with or for the company, either
+in-office or remotely.
+
+# Definitions # {#definitions}
+
+: Authentication method
+:: Any method by which a user may authenticate themselves in order to gain access to a location, data or service, such
+     as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc.
+: Authentication credentials
+:: The specific data or information used by a user to authenticate themselves, including but not limited to passwords,
+     passphrases, PINs, and biometric data.
+: Multi-Factor Authentication (MFA)
+:: An authentication method that requires the user to provide two or more verification factors to gain access, such as
+     something they know (e.g., password), something they have (e.g., a security token or mobile device), and/or
+     something they are (e.g., biometric data).
+: Cloud-based system
+:: A service or platform hosted over the internet that allows users to access data, applications and services remotely.
+: Password manager
+:: A software product used for the secure storage of passwords, which must be approved for use, and includes functions
+     for generating strong passwords compliant with this policy.
+
+# Policy # {#policy}
+
+Authentication method covers any methods by which a user may authenticate themselves in order to gain access to a
+location, data or service, such as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc.
+The company ensures that authentication credentials are kept confidential by:
+
+- storing authentication credentials in a secure manner;
+- changing manufacturer default authentication credentials and disabling guest accounts on all equipment;
+- issuing new users with temporary authentication credentials, which must be changed at first login to a stronger
+    alternative (defined later);
+- authentication credentials issued to new users are done so in a secure manner (e.g. never in clear text via an email);
+- changing all multi-user credentials (e.g. for communal equipment) used by an employee in the event that their
+    employment ends;
+- ensuring that access to user credentials is limited to ICT administrators for the purpose of resetting, revoking or
+    problem resolution – authentication methods may only be reset once the identity of the user has been verified;
+- locking accounts after 5 failed login attempts in order to dissuade brute-forcing attempts;
+- training staff in the use of digital password managers, and the risks of storing passwords in any other form (such as
+    a notebook at their workstation, or Post-It note).
+
+Users must ensure that they do all they can to maintain the confidentiality of their authentication credentials by
+never:
+
+- using company authentication credentials for any other account they hold (including personal accounts such as home
+    utilities, email, online shopping services, etc);
+- having a physical copy of their credentials;
+- using a non-approved method for password generation;
+- entering authentication credentials on non-company equipment (for example, home or public access PCs);
+- revealing authentication credentials to anyone, including line managers, unless relaying information on temporary
+    credentials which are changed immediately upon next login. This includes never
+    sharing authentication credentials with co-workers (e.g. whilst on annual leave);
+- discussing authentication credentials in front of others.
+
+## Password Authentication ## {#passwords}
+
+Many services and policies only allow for password authentication methods, and so they are given a special focus here.
+Strong passwords MUST be used for authentication. The company defines a strong password as one generated by one of two
+processes: random string generation by a password manager or using diceware [[!EFF-DICE]].
+
+Where a password is to be stored in a password manager, it MUST be randomly generated by the password manager with the
+parameters:
+
+- having a minimum number of 14 characters in length;
+- using longer passwords where permitted by the service;
+- including a mixture of numbers, upper and lower case letters, and special characters.
+
+Where special characters are not possible due to technical restrictions, the minimum length is 20 characters.
+
+For the avoidance of doubt, weak passwords must never be used. Weak, text-based authentication credentials generally
+have one or more of the following characteristics:
+
+- credential is the same, or partly the same, as the username;
+- names of family members, friends, or pets are used;
+- personal information about yourself or family members which can be easily found from social networking sites,
+    including date of birth, phone number, street name, etc.;
+- consecutive alphanumeric characters or keys on the keyboard, such as ‘abc123’ or ‘qwerty’;
+- dictionary words including the inclusion of a number or character at the start or end or substituting numbers or
+    punctuation for letters, for example, ‘P@55w0rd’;
+- a known word from any language (which may not be in a dictionary).
+
+For passwords that are intended to be memorised, the MUST be generated using diceware. The above restrictions likely
+will not be met using this method as the intention is to provide a strong password that is easy to remember, and the
+strength comes from the underlying dice rolls. Any other method of generating a passphrase MUST NOT be used even if it
+results in one that bears similarity to a diceware-generated passphrase.
+
+Memorised passphrases generated with diceware SHOULD be used for:
+
+- end-user device login passphrase;
+- password manager decryption passphrase.
+
+## Multi-Factor Authentication ## {#mfa}
+
+Wherever the option is offered by a given service or piece of software, multi-factor authentication is to be used (e.g.
+a fingerprint and a passphrase, or a voice sample, PIN and verification SMS).
+
+Where a hardware token is in use to authenticate to a system without a password, the token itself MUST be secured with
+a memorised PIN of at least 6 digits.
+
+## Credentials for Cloud-Based Systems and Online Portals ## {#cloud}
+
+It is to be remembered that the company makes use of cloud-based technology and online portals, which may not enforce
+strong authentication credentials. It is therefore up to the individual to ensure a good authentication regime is
+maintained, which is as strong as that used within the organisation. In line with the company’s "Internet Use
+Policy", users shall:
+
+- not create an online account for business purposes without authorisation from a director;
+- advise a director when there is no longer a need to have the online account in order to ensure that it is
+    removed.
+
+## Credential Compromise Policy ## {#compromise}
+
+In the event of a credential compromise, users SHALL take immediate action to secure the account by resetting or
+invalidating the credentials and report the incident to a director as soon as practical.
+It is policy that any password compromise event will be shared with CiviCERT members via the MISP platform to allow for
+shared learning from the incident.
+Directors will be responsible for determining if a data breach notification is necessary to our clients or to the
+Information Commissioners Office.
+

policies/public_wifi.bs

@@ -0,0 +1,61 @@
+<h1>Public WiFi Policy</h1>
+<pre class="metadata">
+Status: DREAM
+Local Boilerplate: header yes, copyright yes
+Boilerplate: status no
+TR: https://www.sr2.uk/policies/public-wifi/
+Shortname: public-wifi
+Complain About: accidental-2119 yes
+No Editor: true
+!Version: 1.0
+Abstract: A policy governing staff and contractor use of public WiFi networks when accessing company data.
+</pre>
+
+# Objective # {#objective}
+
+The company approves remote working to work-related cloud services and work email accounts, as long as the devices used
+to access these have been sanctioned by the company. Using public WiFi to conduct business, without the necessary
+safeguards, places our data at risk of theft. The purpose of this policy is to provide the framework for those
+safeguards.
+
+# Scope # {#scope}
+
+The scope of the policy covers all individuals either employed or contracted to work with, or for, the company, either
+on a company site or remotely.
+
+# Definitions # {#definitions}
+
+: Public WiFi Network
+:: Any wireless network access provided by a third party, such as hotels, cafes, airports, or public hotspots, that is
+     open to public or unvetted access. For the purpose of this policy, eduroam connections other than those on an SR2
+     managed site are to be considered Public WiFi Networks.
+: Sanctioned Device
+:: A device (e.g., laptop, tablet, smartphone) that has been approved and provisioned by the
+     company for business use, with appropriate security configurations and software installed.
+
+# Policy # {#policy}
+
+Devices that are not sanctioned by the company, including home PCs or public access PCs, MUST NOT be used to access
+company cloud services, data, or email accounts.
+
+Though the company takes every effort to ensure that sanctioned devices are adequately protected, the individual MUST
+ensure that, before connecting to the Wi-Fi network, the device has:
+
+- up-to-date antivirus and antispyware software;
+- a firewall that is activated and configured to company requirements (i.e. the settings have not been changed) since
+    the device was configured;
+- all software (including the Web browser) is current with automatic updating;
+- file sharing (e.g. SMB) is switched off.
+
+For security reasons staff and contractors MUST:
+
+- consider if mobile phone tethering is available and use this as the first choice;
+- consider delaying transmission of information until at a secure location;
+- not follow prompts to update software whilst connected to a public network;
+- not rely on the encryption provided by the Public WiFi Network (e.g. WPA) to protect company data;
+- ensure that an end-to-end encrypted connection is established and the user has been trained in setting up
+    such a connection for each service to be used (for the avoidance of doubt, TLS is considered to be end-to-end
+    providing that the certificate presented by the server is validated);
+- ensure that URLs in Web browsers are showing the correct Web addresses in case a criminal has hijacked the Wireless
+    Access Point and is forwarding traffic to their site;
+- keep all information secure, including restricting the view of the screen from any unauthorised person(s);

renovate.json

@@ -0,0 +1,8 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "minimumReleaseAge": "14 days",
+  "gitAuthor": "Renovate<noreply@sr2.uk>"
+}

static/helpdesk.asc

@@ -0,0 +1,22 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: 1135 3E54 83C7 152B 165C  46A7 9CE7 365E C2E1 4728
+Comment: SR2 Helpdesk (Shared Mailbox) <contact@sr2.uk>
+
+xjMEaUqxIBYJKwYBBAHaRw8BAQdAFRCg++SH2sipx7dN977soQzmlAzVM+2f9iKE
+fFPMjYXNLlNSMiBIZWxwZGVzayAoU2hhcmVkIE1haWxib3gpIDxjb250YWN0QHNy
+Mi51az7CmQQTFgoAQRYhBBE1PlSDxxUrFlxGp5znNl7C4UcoBQJpSrEgAhsBBQkD
+wmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEJznNl7C4Ucof3EA/R91
+WLgYJKg7EI9tVjc1CwBvcsq5i5rV517XBJpvgeVYAQDbcZ/Hd1aH4kNWai7FGwZJ
+Umam/eHhBbgEUKuMLmtBDM4zBGlKsTMWCSsGAQQB2kcPAQEHQDMsWTxTDvrlK43J
+1IFU3ncSUCPqfs25kRXEoxYsUmJBwsA1BBgWCgAmFiEEETU+VIPHFSsWXEannOc2
+XsLhRygFAmlKsTMCGwIFCQPCZwAAgQkQnOc2XsLhRyh2IAQZFgoAHRYhBJSgeWhx
+n4DES3R4uVQdQ7N7rA5JBQJpSrEzAAoJEFQdQ7N7rA5JDCcA/0hhu5bkHLezhgqH
+fqYSLmtp2TV5GW1rcZ8SA4TfdT5wAP9d0grZFtrTwqQBQz/v5RzSKhHcSRI9uFZL
+qXpj3HUsAI54AP9b078TsRtPHsIluPtxPZ0t1JYVWC8A4/ii/q5c+vREyAD+P7Om
+Bk2VgHtT2yiuCKVbFdle/TOPdU7klutYlzEbzAnOOARpSrFBEgorBgEEAZdVAQUB
+AQdAi5FmgcXOHwroZxoD/X6tuLzYrdV8KXeKu1I8FMbVrHEDAQgHwn4EGBYKACYW
+IQQRNT5Ug8cVKxZcRqec5zZewuFHKAUCaUqxQQIbDAUJA8JnAAAKCRCc5zZewuFH
+KD6JAQD1qISJfiEvrmTCEV97An8jGhcYk22CHzzGgB3vljQHagD/QM6HQsBjDENc
+KCmNOoaN/Yq6IM2Rc/tkGr/ALdhwggs=
+=W9Nf
+-----END PGP PUBLIC KEY BLOCK-----

themes/sr2

@@ -1 +1 @@
-Subproject commit 3febfb1a337f2ed1a851f71239cea3b9d17fcbc9
+Subproject commit 596b4e4810ed300bc8bc84d8b0cf2c8cde8a8582