Follow

New blog post: "'Secure' is Meaningless"

People sometimes ask me whether the latest gadget or app is "secure". That's a meaningless question - here's how to make something meaningful of it.

nora.codes/post/secure-is-mean

Β· Β· Web Β· 3 Β· 14 Β· 35
Well written, and good explanations that I think should be understandable also for non-security people. Bookmarking for future reference!

@tindall Excellent post, and tyyyy for having RSS on your blog!!

@zt glad you thought so, and, absolutely! I'm glad it's useful.

@tindall Nicely written and well-balanced!

A caveat: on threats from trusted vendors, I'm not what would be meaningful advice. Should we judge vendors by what they're known to have done, what people suspect they're doing (but isn't proven), or what they might do someday?

Apple's CSAM plan was delayed. Perhaps indefinitely. Now what?

Once we consider open-ended threats from security updates, any response from ignoring it to extreme paranoia could be justified, depending on your attitude.

@skybrian Glad you enjoyed it!

I think you know what my answer to that is - I _don't_ trust anything that can force an update on me without me being able to inspect it first. Hence my use of free software wherever possible.

@tindall Which Linux distros do you like and how do you inspect the updates?

@skybrian right now I use Debian and Arch. With reproducible binary packages, I can directly correlate cryptographic hashes [1]; with non reproducible binaries I need only trust the maintainer, which is still some trust but fits much better into my threat model. On Arch, a lot of software comes in version controlled source packages, and my package manager of choice (`yay`) provides a great workflow for inspecting those, and even on Debian I can build very security critical software myself, and sometimes do.

1: wiki.debian.org/ReproducibleBu

@skybrian imo the great thing is that it really gives you a dial you can turn of security vs convenience. A normal user can just install things and trust the maintainers, and as your use case gets more complex you can check the things you need to check as you need to check them. It's not all-or-nothing.

Sign in to participate in the conversation
Cybrespace

cybrespace: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!