michael orlitzky

Advice from the trenches

posted 2018-01-04

This was submitted by request for an article titled “advice from the trenches,” containing advice from various security experts and also me.

Computer security is hard. The usual sinking ship metaphor doesn't even do it justice. Instead of the ocean, you're in outer space, and the water is aliens, and the guy who built your boat has never seen a boat before, and actually there's 10,000 boats. We should all probably just give up and consume our computers for calories. But “give peace a chance” isn't good advice for someone in the trenches, so here's some practical advice that (like most good advice) is boring and impossible to follow.

Recall that computer security is easy. There's only one rule: don't run code from strangers. To help you follow that rule, here's a bunch more.

  1. Update regularly, so that said strangers can't make the decision for you.
  2. Don't use proprietary software. You can't update it yourself, and you don't know what it's doing in the first place.
  3. Don't run javascript in your web browser or email client or PDF reader or…
  4. Use a free software (Linux, BSD, etc.) distribution and limit yourself to the software available in its repositories. The four freedoms let somebody else keep things up-to-date for you, and each change can be traced back to a real person.
  5. Make it impossible to run code “accidentally” by whitelisting only those programs installed by your distribution or by yourself.
  6. Don't do anything important on your phone.

If any of that sounds hard—well, I warned you.