Two Wrongs

Basic Computer Security: Things I Want to Explore

Basic Computer Security: Things I Want to Explore

I got mysteriously affected by taking a computer security course at university. It's not that I knew nothing about computer security before – it's always been kind of a favourite subject of mine. It's also not that I didn't care about it at all before either. It's just that I … couldn't bother with it. It requires a lot of effort, right? Cumbersome?

Actually, no.

I guess that's what the course taught me. Basic security doesn't have to be that hard. Most things are actually pretty easy on a day-to-day basis, once you have learned them.

Lest I forget, here are some topics I'm interested in exploring, potentially learning and applying to my machines, in no particular order.

  • Firewall configuration for a server. A simple "default deny" firewall shouldn't be that hard to set up. I want one. Status: Success!
  • Firewall configuration for a laptop. 99.5% of the time, my laptop is behind a NAT box and not directly accessible from the internet. This puts slightly different requirements on the firewall rules, I suspect. I want to know what those requirements are.
  • Other security concerns on an untrusted local network. There are plenty of exploits available to someone who is physically connected to the same network as you. I want to find out what those are and how to become immune to them. Status: Step one, dns, tackled!
  • Day-to-day use of OpenPGP. I'm starting to get comfortable with the OpenPGP protocol, but I feel like there are many areas where I could use it a lot more than I do.
  • SELinux. Stop disabling SELinux!
  • Log watching. I want to get emails for any log messages on my system that I haven't explicitly told the computer are part of the set of "normal" log messages.
  • Passwordless setups. Passwords, when used as the only form of authentication, have to be communicated to anyone who wants to confirm your identity. That sucks. I'm not planning on going straight from a 6 character password to no password authentication at all (which is effectively the same as a password of infinite length) but I do approach that territory slowly, by increasing the length of my passwords little by little, and using them less and less in favour of alternate means of authentication. I am a religious user of ssh keys, I have configured my vpn (see below) to use certificate based TLS authentication, and when I encrypt stuff I do it with public key cryptography rather than shared secrets. Passwordless sudo is also part of the picture.
  • vpn. So after some deliberation I've decided to jump into this pit anyway. I don't remember what the deciding factor was, but I do know I'm going to have use for it now that it's configured.