Trusted Systems

Using only trusted systems is the prime principle. If a system is not trusted--all the other principles won't help you. An untrusted system may be used against you to make your most important priorities fail, take over any and all of your connected service accounts and violate your privacy in shocking ways (using any attached cameras and microphones to record you and/or logging all your key strokes).

A trusted system is one that has been built, configured, and fully patched by a trusted entity and that has never run untrusted code. For example, if you trust Dell and you purchase a new Dell computer--it is a trusted system when you first begin using it (your first action should be to run Windows Update to maintain the trusted status). Turning a trusted system into an untrusted one is as easy as running a single set of untrusted code on it. Why? The bottom line is--if untrusted instructions run on your system, you don't know what it does. All the worst things are possible.

Personally, I do a clean install of the Operating System when I buy a new system. I like this because then I get to make all the decisions on every bit of software that gets installed on the system. While this helps my mindset regarding trust of the system--it's biggest benefit is probably in reduction of bloatware.

Strategies for keeping a trusted system trusted:

• Never intentionally run untrusted code on the system.,
• Never fall for deceptive practices designed to trick you into running untrusted code. (more),
• Always keep the system current with security patches so that vulnerabilities are not used to run untrusted code without your knowledge or consent. A system that is no longer supported by security updates cannot be trusted. The risk of vulnerabilities being used to run untrusted code without your knowledge grows each hour a vulnerability remains unpatched.,
• Always use an anti-virus software and keep it up to date with definitions.,
• Always require a password to log into the system and to re-enter the device from a locked-screen state., and
• If your device ever leaves your private living space--always manually lock your screen before you leave it unattended and configure it to automatically lock after 15 minutes of inactivity (as a fail-safe in the event you forget to manually lock it).

There is only one way to revert an untrusted system back to a trusted state--reformat the storage media on it and reinstall the operating system.

Sorting the good from the bad

Resistance to deceptive practices designed to trick you into running dodgy code on your system requires a baseline understanding of the legitimate practices that need your approval to run software for good reasons. The rest is easy. Anything that does not fit your understanding of legitimate is suspect. This content has a tilt towards Microsoft Windows systems, but the guidance on trust would apply to Macs, iPhones, Androids as well.

Legitimate Software

• Your base system must be kept up-date-to date with security patches. It may need your cooperation to keep you up-to-date. It should be configured to automate as much as possible, but automation still needs oversight to ensure it's effective.,
• New software that you want to use. Your operating system is just a framework for running applications. We all will want to avail ourselves of the huge selections of applications available. It is critical that you get the software from a trusted source. While even trusted sources can be compromised, they are the best we have. We have to trust at some point.

Examples of trusted sources:

• Microsoft Store. Applications in Microsoft Store are vetted by Microsoft. Don't let the store part discourage you. There are a large number of free items available in the store. I use Gimp, Inkscape, and Audacity from the store--all gratis. Software installed via the store get the bonus of update assistance.
• Adobe, https://www.adobe.com.
• Intuit, https://turbotax.intuit.com.
• Google, https://www.google.com/drive/download/

You get the idea. Large software companies you've heard of will invest in securing their products and benefit from the significant scrutiny they get from big businesses that also use them. Be aware that since the software companies you've heard of have a large distribution base they are popular targets of trickery. When downloading trusted software, details matter. Make sure https sources are the real deal. Misspellings and obfuscation will be used to attempt to trick you into trusting an imposter.

Examples of Un-Trusted Sources

• Email. Email is the biggest channel for attacks against the general population. It's not just the Nairobi prince trying to get into your kit. It's your best friend and your Auntie Suzie. See, they've been compromised by a phishing campaign and their accounts are now being used to fish you. Don't assume ANYTHING in email is legit, even if it's from Mom. I've seen emails sent from bosses to employees with the attachment adobe_reader_critical_fix.exe with instructions to run it immediately. Of course, it was fake, and of course, it horribly compromised the systems of people that fell for it. Of course, it was a nightmare to unwind the damage to the organization. Friends don't let friends click links or open executable attachments in email.
• The world wide web. Browsing the Internet is not as dicey as clicking on links in email, but it can be a close second if you end up in the wrong places. If you are browsing the web and you get a popup asking you to do something. Don't do it. Stop, breath, take a screen shot of it, then close your browser. Open a new browser session and do some googling on what you see in the screen shot you took. There's good chance it was dangerous. Also... if your browser wasn't up-to-date on security patches you didn't get the popup. Because your browser was vulnerable to a security exploit they just went ahead and ran the code. They didn't need your cooperation.
• Pirated kit. I like pirated kit as much as the next nerd but hear me now and believe me later--pirated executables (programs) are just not worth it. Key generators, anything that is an executable set of code you got from dodgy sources--DO NOT LET IT NEAR YOUR KIT.

But ... what if I want to trust a more obscure software brand because it has interesting features that I want to try? See my notes on evaluating less well-known software here.