As is often the case with aspiring and current Security Professionals, I’m something of a security enthusiast. This makes itself fairly well known if you ever get within about ten feet of my laptop - it’s absolutely bedecked with stickers from the EFF proclaiming my dissent for unsupervised search and my believe that privacy is a universal right. This usually leads to at least one or two eyebrows getting raised, and there’s almost always a conversation that follows - one I rarely articulate well.
When faced with the choice between the work of locking down a computing solution, or the insecure defaults, most people eschew the work. When called on that, they usually respond “but I have nothing to hide”. This is fair, and their perogative, but I’m hear to tell you the uncomfortable truth.
That’s Not True
I’m not saying you’re lying to me about having nothing to hide. You probably aren’t. You probably pride yourself on being an open book - in the age of social media feeds dedicated to how much we managed to walk today and the finer points of our lunch, it’s no surprise people are self-conditioned to think that anything attention-getting is attention-worthy.
Let’s talk about what you have to hide, that you might never have considered. Most of you are fairly intelligent people, so I am going to assume you know better than to store your credit card number, expiry, and cvv on the computer. But are you sure your computer hasn’t had a keylogger serruptitiously set against it, recording your keystrokes? How would you know? How would you prevent that?
Let’s take another example. I have, published on my website, an incomplete (and erroneous) cv. As it turns out I always keep two versions of my CV handy, at minimum - one with my contact information, and one with only my secondary contact (email) listed. I do that to protect my privacy - if I’m applying for a job directly, sure, you can have my number. If I’m just leaving bait on the hook, I don’t need every irritating web recruiter also able to hit up my phone.
Here’s another for you - invoices. A lot of you out there are in the freelance game, and some of you, I would hope, keep business records. Who you’ve dealt with. What they’ve spent. Ignoring for a moment the damage that could be done to your reputation for losing that information, you could actually be in breach of several laws and regulations by failing to properly secure that. Yes, your .txt full of clients on your personal laptop counts as customer PII. That’s just how it works.
Do you use a desktop mail client like Thunderbird or Outlook? Chances are mmost or all of the mail readable in it has been stored to disk somewhere. I have nothing to hide in the “this stuff is illegal” sense, but I for damn sure don’t want people just leafing through my mail. I’m sure my wife doesn’t either.
What about that other stuff you’re working on? I’m not talking your fortnite save data here. I”m talking about that barcade idea you’ve been batting around for years now, trying to work into a viable business plan. I’m talking your designs for that cool new product. Your sketches for that illustration that’s going to be the centrepiece of your display at the next artshow. The sick album you’re not ready to drop on soundcloud yet. Do you want all that leaked? No?
Those are just the privacy arguments for good security. We’re ignoring another big factor here - Security as Declaration and Proof of Ownership, which is its own whole thing. We’re talking about putting your computer into a state where it doesn’t matter if you’re falling for the Microsoft Tech Support scams or clicking on the links, the damage is going to be minimal at best.
I’m not saying everyone needs to run Qubes. I’m saying y’all should stop treating strong passwords and Full Disk Encryption like using them is going to put you on a government watch list. They’re the only things standing between you and those seeking to embarass, harass, or demean you. The threat isn’t always the police state. It’s some twerp you pissed off playing CS:GO, or someone who resents that you blocked them on twitter. It’s the angry boyfriend. The guy on the IT helpdesk with nothing better to do.
Your computer - or smartphone - is yours. Treat it as such.