6 New Year Security Resolutions for This Security Wannabe

Posted on December 31, 2009

In 2010, I will:

Put my RSS reader on a Crash Diet

I don’t know about you, but seeing ‘1050 unread items’ in my feed reader does not fill me with pleasure. Instead, it starts to feel like “yet another inbox”. I don’t need another one of those :).

As of yesterday, I’ve switched from 500 feeds to about 60. This is my loyalty vote for bloggers I admire/respect and a reflection of an “essentials” only attitude.

I’m going to miss some stuff, but what’s the worst that could happen? Twitter makes up for some of the ground, but ultimately, I’m not going to lose any sleep over this. I hope it leads to me getting more out of my feeds. If you do the same and end up unsubscribing from this blog (shock, horror!) – no hard feelings – I’ll send the free suitcases of money somewhere else ;)!

I’m aware of other ways to remedy feed overload (Postrank, Yahoo! Pipes etc) but for now I’m keeping it simple.

To keep high volume information security and global news sources out of my feed reader, I’m using Netvibes. I’ve set this up with a single page containing key sources – in a multi-column overview page I can scan incredibly quickly. Netvibes will be closed unless I’m actively checking it.

Reduce my Dependence on Google

Google offers some very seductive services for free. They “just work”, are easy to use and efficient. I know, as I use a ton of them!

I’m increasingly concerned at the amount of the web and web experience that Google owns. This isn’t news in some ways and in the past I accepted the trade-off. My primary concern is protecting my privacy, rather than security.

It will be painful to transition away from Gmail and will take time.

For search I am switching to Bing.

Right now, I’m using Chrome (for performance reasons) to run Gmail and Google Reader – that’s it. Firefox for everything else.

Get off self-hosted Wordpress

Wordpress is featureful blogging software with a pretty featureful security track record (!). I like technologies that are low maintainance and don’t leave me wide open to automated threats and/or script kiddies. The Wordpress team are slowly making security improvements to the codebase and I’m grateful for my use of the software, but I don’t want to feel “dirty” running PHP in 2010 ;-) Oh, and Wordpress plugins are even worse from a security perspective than Wireshark plugins. Tip: If like me, you tried and failed when googlng “secure blog software” et al, you’ll appreciate the search term “static website generator”. As regular readers will know, I’ve already switched this blog to Webby and it’s great – no dynamic code, no security worries. For my needs, Webby is excellent.

Compartmentalise my OSX Applications

I love my MacBook Pro and I like OSX. But I know it is less mature than either Windows or Linux from a security perspective. Apple does ship OSX with a program sandboxing feature, but it’s only turned on for a handful of applications. I’ve created a sandbox profile for Firefox on OSX and plan to do so for other apps that take inputs from untrusted sources. This will be an on-going process, both in terms of policy tweaking and applications contained.

Minimise my Browser Attack Surface

This is related to sandboxing, but more about attack surface reduction than containment. I created a new Firefox profile and installed just 3 plugins; for ad-blocking (AdBlock Plus), Javascript and plugin control (NoScript) and password management (1Password). I can still run the full-flavour Firefox is for some reason I need to but this is no longer my default. Whilst this does nothing to eliminate Firefox vulnerabilities, it does reduce the exploitation opportunties. Plus, Firefox is damned fast again now! Do you really need all those add-ins?

Switch Gears with Twitter

I’m a fan of twitter and don’t feel the need to apologise for it.

In the past year, I have gained enormously by following and interacting with smart security peeps (and others outside of my infosec world). It’s lead to collaborations that would have either been slower to happen otherwise, or simply would not have happened. However, it can be challenging in terms of attention management.

I’ve recently switched to using NutshellMail as a short term measure for periodic, timed delivery of incoming tweets by email. This immediately reduced task switching as I can close my twitter client without fear of missing out (or leaving the client running and getting sucked in).

This approach probably won’t work for you if you use twitter for conversations. I don’t as I simply find it too clunky. I do interact though and I don’t want to lose that in the process. I will be less “real time” but 4 hourly intervals is good enough for me.

The other benefit is “inbox reduction”. Now tweets come via a single email to my personal inbox. I don’t have to “look somewhere else”. Not just Twitter, but Facebook and LinkedIn (although not Groups) too.

I plan to post more as I make progress on these items. I welcome your feedback.

All the best for 2010.