refactor: Move wiki articles to individual folders

content/wiki/basics/account-creation/_index.md

@@ -9,7 +9,7 @@ Often people sign up for services without thinking. Maybe it's a streaming servi
 
 There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer.
 
-It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion/_index.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account.
+It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](../account-deletion/_index.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account.
 
 ## Terms of Service & Privacy Policy
 
@@ -27,13 +27,13 @@ There are usually multiple ways to sign up for an account, each with their own b
 
 ### Email and password
 
-The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords.
+The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](../passwords-overview/_index.md) regarding passwords.
 
 > [!TIP]
 > You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key.
 
 
-You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication/_index.md) on your accounts.
+You will be responsible for managing your login credentials. For added security, you can set up [MFA](../multi-factor-authentication/_index.md) on your accounts.
 
 [Recommended password managers](../../tools/software/passwords/_index.md){ .md-button }
 
@@ -61,7 +61,7 @@ But there are disadvantages:
 - **Privacy**: The OAuth provider you log in with will know the services you use.
 - **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected.
 
-OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication/_index.md).
+OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](../multi-factor-authentication/_index.md).
 
 All the services that use OAuth will be as secure as your underlying OAuth provider's account. For example, if you want to secure an account with a hardware key, but that service doesn't support hardware keys, you can secure the account you use with OAuth with a hardware key instead, and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your OAuth provider account means that any account tied to that login will also be weak.
 

content/wiki/basics/account-deletion/_index.md

@@ -12,7 +12,7 @@ Over time, it can be easy to accumulate a number of online accounts, many of whi
 If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned).
 
 <figure markdown>
-  ![Bitwarden's Data Breach Report feature](./exposed_passwords.png)
+  ![Bitwarden's Data Breach Report feature](exposed_passwords.png)
 </figure>
 
 Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser ([Firefox](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Chrome](https://passwords.google.com/intro), [Edge](https://support.microsoft.com/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336)) or your phone ([Google](https://passwords.google.com/intro) on stock Android, [Passwords](https://support.apple.com/HT211146) on iOS) without even realizing it.

content/wiki/basics/common-misconceptions/_index.md

@@ -8,7 +8,7 @@ description: Privacy isn't a straightforward topic, and it's easy to get caught
 
 These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. <mark>Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.</mark> When you evaluate software, you should look at the reputation and security of each tool on an individual basis.
 
-Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities known as [:material-package-variant-closed-remove: Supply Chain Attacks](common-threats.md#attacks-against-certain-organizations){ .pg-viridian }, which are discussed further in our [Common Threats](common-threats.md) page.[^1]
+Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities known as [:material-package-variant-closed-remove: Supply Chain Attacks](../common-threats/_index.md#attacks-against-certain-organizations){ .pg-viridian }, which are discussed further in our [Common Threats](../common-threats/_index.md) page.[^1]
 
 On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering.
 

content/wiki/basics/common-threats/_index.md

@@ -4,7 +4,7 @@ weight: 30
 description: Your threat model is personal to you, but these are some of the things many visitors to this site care about.
 ---
 
-Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. <mark>You may be concerned with none, one, a few, or all of these possibilities</mark>, and the tools and services you use depend on what your goals are. You may have specific threats outside these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat.
+Broadly speaking, we categorize our recommendations into the [threats](../threat-modeling/_index.md) or goals that apply to most people. <mark>You may be concerned with none, one, a few, or all of these possibilities</mark>, and the tools and services you use depend on what your goals are. You may have specific threats outside these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat.
 
 <span class="pg-purple">:material-incognito: **Anonymity**</span>
 
@@ -130,7 +130,7 @@ Therefore, you should use native applications over web clients whenever possible
 
 </div>
 
-Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as whom you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all.
+Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as whom you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](../threat-modeling/_index.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all.
 
 ## Mass Surveillance Programs
 
@@ -186,7 +186,7 @@ Additionally, even companies outside the *AdTech* or tracking industry can share
 
 The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy.
 
-- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion/_index.md)
+- [View our guide on account deletion :material-arrow-right-drop-circle:](../account-deletion/_index.md)
 
 On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission.
 
@@ -200,12 +200,12 @@ Censorship online can be carried out (to varying degrees) by actors including to
 
 Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship.
 
-People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview/_index.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../../tools/software/social-networks/_index.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily.
+People concerned with the threat of censorship can use technologies like [Tor](../../advanced/tor-overview/_index.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../../tools/software/social-networks/_index.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily.
 
 > [!TIP]
 > While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic.
 > 
-> You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection).
+> You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../../advanced/dns-overview/_index.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection).
 
 
 You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught.

content/wiki/basics/email-security/_index.md

@@ -29,7 +29,7 @@ If you use a shared domain from a provider which doesn't support WKD, like `@gma
 
 ### What Email Clients Support E2EE?
 
-Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../../tools/software/email-clients/_index.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication/_index.md) is not possible with plain password authentication.
+Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../../tools/software/email-clients/_index.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](../account-creation/_index.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](../multi-factor-authentication/_index.md) is not possible with plain password authentication.
 
 ### How Do I Protect My Private Keys?
 

content/wiki/basics/hardware/_index.md

@@ -16,7 +16,7 @@ Some devices will have a "hardware security program", which is a collaboration b
 
 - [Windows Secured-core PCs](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11) meet a higher security criteria specified by Microsoft. These protections aren't only applicable to Windows users; Users of other operating systems can still take advantage of features like [DMA protection](https://learn.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and the ability to completely distrust Microsoft certificates.
 - [Android Ready SE](https://developers.google.com/android/security/android-ready-se) is a collaboration between vendors to ensure their devices follow [best practices](https://source.android.com/docs/security/best-practices/hardware) and include tamper resistant hardware backed storage for things like encryption keys.
-- macOS running on an Apple SoC takes advantage of [hardware security](../os/macos/_index.md#hardware-security) which may not be available with third party operating systems.
+- macOS running on an Apple SoC takes advantage of [hardware security](../../os/macos/_index.md#hardware-security) which may not be available with third party operating systems.
 - [ChromeOS security](https://chromium.org/chromium-os/developer-library/reference/security/security-whitepaper) is at its best when running on a Chromebook as it is able to make use of available hardware features such as the [hardware root-of-trust](https://chromium.org/chromium-os/developer-library/reference/security/security-whitepaper/#hardware-root-of-trust-and-verified-boot).
 
 Even if you don't use these operating systems, participation in these programs may indicate that the manufacturer is following best practices when it comes to hardware security and updates.
@@ -69,7 +69,7 @@ Some threats can't be protected against by your internal components alone. Many
 
 Hardware keys are devices that use strong cryptography to authenticate you to a device or account. The idea is that because they can not be copied, you can use them to secure accounts in such a way that they can only be accessed with physical possession of the key, eliminating many remote attacks.
 
-[Recommended Hardware Keys :material-arrow-right-drop-circle:](../../tools/hardware/security-keys/_index.md){ .md-button .md-button--primary } [Learn More about Hardware Keys :material-arrow-right-drop-circle:](multi-factor-authentication/_index.md#hardware-security-keys){ .md-button }
+[Recommended Hardware Keys :material-arrow-right-drop-circle:](../../tools/hardware/security-keys/_index.md){ .md-button .md-button--primary } [Learn More about Hardware Keys :material-arrow-right-drop-circle:](../multi-factor-authentication/_index.md#hardware-security-keys){ .md-button }
 
 ### Camera/Microphone
 

content/wiki/basics/multi-factor-authentication/_index.md

@@ -52,7 +52,7 @@ When logging into a website, all you need to do is to physically touch the secur
 The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process.
 
 <figure markdown>
-  ![Yubico OTP](./yubico-otp.png)
+  ![Yubico OTP](yubico-otp.png)
 </figure>
 
 There are some benefits and disadvantages to using Yubico OTP when compared to TOTP.
@@ -70,7 +70,7 @@ U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikiped
 WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication.
 
 <figure markdown>
-  ![FIDO](./fido.png)
+  ![FIDO](fido.png)
 </figure>
 
 When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal.

content/wiki/basics/passwords-overview/_index.md

@@ -24,7 +24,7 @@ All of our [recommended password managers](../../tools/software/passwords/_index
 
 You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it.
 
-When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multifactor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage.
+When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](../threat-modeling/_index.md) calls for it, we recommend going through important accounts (especially accounts that don't use multifactor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage.
 
 <!-- TODO: Admonition -->
 <div class="admonition tip" markdown>
@@ -164,7 +164,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using [TOTP codes as multifactor authentication](multi-factor-authentication/_index.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../../tools/software/multi-factor-authentication/_index.md).
+When using [TOTP codes as multifactor authentication](../multi-factor-authentication/_index.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../../tools/software/multi-factor-authentication/_index.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 

content/wiki/basics/threat-modeling/_index.md

@@ -99,7 +99,7 @@ Making a security plan will help you to understand the threats that are unique t
 
 For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations.
 
-- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md)
+- [Common Goals and Threats :material-arrow-right-drop-circle:](../common-threats/_index.md)
 
 ## Sources
 

content/wiki/basics/vpn-overview/_index.md

@@ -9,7 +9,7 @@ Virtual Private Networks are a way of extending the end of your network to exit
 
 [:material-movie-open-play-outline: Video: Do you need a VPN?](https://www.privacyguides.org/videos/2024/12/12/do-you-need-a-vpn){ .md-button }
 
-Normally, an ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns).
+Normally, an ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../../advanced/dns-overview/_index.md#why-shouldnt-i-use-encrypted-dns).
 
 Using a VPN hides even this information from your ISP, by shifting the trust you place in your network to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing through it.
 
@@ -46,9 +46,9 @@ VPNs cannot encrypt data outside the connection between your device and the VPN
 
 ## When isn't a VPN suitable?
 
-Using a VPN in cases where you're using your [real-life or well-known identity](common-misconceptions.md#complicated-is-better) online is unlikely to be useful. Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website.
+Using a VPN in cases where you're using your [real-life or well-known identity](../common-misconceptions/_index.md#complicated-is-better) online is unlikely to be useful. Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website.
 
-It's important to remember that a VPN will not provide you with absolute anonymity because the VPN provider itself will still have access to your real IP address, destination website information, and often a money trail that can be linked directly back to you. "No logging" policies are merely a promise; if you need complete safety from the network itself, consider using [Tor](../advanced/tor-overview/_index.md) in addition to or instead of a VPN.
+It's important to remember that a VPN will not provide you with absolute anonymity because the VPN provider itself will still have access to your real IP address, destination website information, and often a money trail that can be linked directly back to you. "No logging" policies are merely a promise; if you need complete safety from the network itself, consider using [Tor](../../advanced/tor-overview/_index.md) in addition to or instead of a VPN.
 
 You also should not trust a VPN to secure your connection to an unencrypted, HTTP destination. In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider and other potential adversaries in between the VPN server and your destination. You should enable HTTPS-only mode in your browser (if it's supported) to mitigate attacks which try to downgrade your connection from HTTPS to HTTP.
 
@@ -60,9 +60,9 @@ Another common reason encrypted DNS is recommended is that it prevents DNS spoof
 
 ## Should I use Tor *and* a VPN?
 
-Maybe, Tor is not necessarily suitable for everybody in the first place. Consider your [threat model](threat-modeling.md), because if your adversary is not capable of extracting information from your VPN provider, using a VPN alone may provide enough protection.
+Maybe, Tor is not necessarily suitable for everybody in the first place. Consider your [threat model](../threat-modeling/_index.md), because if your adversary is not capable of extracting information from your VPN provider, using a VPN alone may provide enough protection.
 
-If you do use Tor then you are *probably* best off connecting to the Tor network via a commercial VPN provider. However, this is a complex subject which we've written more about on our [Tor overview](../advanced/tor-overview/_index.md) page.
+If you do use Tor then you are *probably* best off connecting to the Tor network via a commercial VPN provider. However, this is a complex subject which we've written more about on our [Tor overview](../../advanced/tor-overview/_index.md) page.
 
 ## Should I access Tor through VPN providers that provide "Tor nodes"?
 

content/wiki/basics/why-privacy-matters/_index.md

@@ -32,7 +32,7 @@ Many people get the concepts of **privacy**, **security**, and **anonymity** con
 
 All of these concepts overlap, but it is possible to have any combination of these. The sweet spot for most people is when all three of these concepts overlap. However, it's trickier to achieve than many initially believe. Sometimes, you have to compromise on some of these, and that's okay too. This is where **threat modeling** comes into play, allowing you to make informed decisions about the [software and services](../../tools/_index.md) you use.
 
-[:material-book-outline: Learn More About Threat Modeling](threat-modeling.md){ .md-button }
+[:material-book-outline: Learn More About Threat Modeling](../threat-modeling/_index.md){ .md-button }
 
 ## Privacy vs. Secrecy