For anyone who knows both Caroline and I, you know we are polar opposites on multiple levels.
Regardless, we see eye-to-eye on almost everything when it comes to ClearOPS, and I think we personify a unique and remarkable synthesis of privacy and security experiences and skill sets.
Yet when it comes to recipes for preparing haddock or configuring a new device, we have our differences. I also enjoy cooking, but, unlike Caroline, I find that raw fennel is a pleasant treat, a specialty on the holidays. Long online recipes (with a ton of ads) take a back seat to my simple hard-copy recipe books. I don’t need to roast fennel to enjoy it. I tend to highlight the ingredients, focusing on their simplicity, rather than taking that extra step, like Caroline did, cooking the fennel to get rid of the anise.
This fissure is also apparent when it comes to configuring new electronic devices. My first step is to remove, or to make it simpler, rather than Caroline’s out-of-the-box advice to do more.
My first advice when getting a new laptop or cell phone isn't to add anything new, but rather to strip it down as much as possible. In other words, don’t roast the fennel first; use it raw. I don't install any necessities, not even Tor Browser, until I've removed everything not essential.
Since I run an open-source and security-obsessive operating system called OpenBSD on my laptop, I'm already a step ahead in many ways. My first step is to completely wipe the default operating system and install OpenBSD. Then I take it another step further by removing the Bluetooth card and disabling all unnecessary features from the BIOS, like Intel’s Hyper Threading.
I'm very much from the school of what I'm now calling "reductive security," and some of my recent blog posts allude to the concept.
Danger Stranger asks if you really need to expose your web site visitor’s to so many third parties. Less is better.
It’s admirable that the Teamsters mitigated a ransomeware attack last Labor Day since they maintained hard-copy files to recreate the ransomed data. Analog backups are useful if available.
The notion of reductive security is simple enough: lessen reliance on the digital, eliminate redundant applications, remove unnecessary third parties and collect only what is absolutely essential. That explains my resistance to adding more digital "stuff" to enhance security for several reasons.
First, more stuff means more things to trust. You are usually better off trusting less over trusting more. That notion should be hardly controversial.
Second, more "stuff" means more lines of code (LoC) in the applications. I believe it was Steve McConnell in 1995 who popularized the notion that for every 1,000 lines of computer code in a program, there are 15 to 50 bugs of one type or another. It's that pool of bugs that presents a Petri dish for computer vulnerabilities.
Disabling unnecessary services matters. I don't know how many LoC are in the Windows print spooler, the program that is core to printing on a Windows computer. The code is closed source and hidden from public view. But have you followed the Windows print spooler vulnerabilities? The full official list is even more disheartening. Yes, that's six CVEs, or Common Vulnerabilities and Exposures, in 2021 alone.
Are you even printing from your Windows laptop anymore?
Any residual snickering about LPR should probably cease at this point.
Enhancing security should be about decreasing the attack surface area as much as it's about security knob turning, network topography, policies and the myriad of other mitigations.
The less lines of code, the less third parties and the less applications that an adversary can attack, the safer you are.
Caroline's recipe to set up your computer with privacy and security from the beginning is good advice, but before you add more to enhance security, I recommend you start with less.
In the coming months, I'll be elaborating more on "reductive security", and hope you follow how a relatively simple paradigm can have a significant impact on security.
George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives on creating unorthodox solutions to ordinary problems.
ClearOPS is a privacy and security technology company automating security questionnaire response and vendor monitoring. Do you know who your vendors are?