What’s that word? You might not have seen it before. Why is it in a blog post about security?
Let’s start with just pasting in the definition from googling “Praxis Definition”.
prax·is/ˈpraksəs/
nounFORMAL
- practice, as distinguished from theory.
“the gap between theory and praxis, text and world”
- accepted practice or custom.
“patterns of Christian praxis in church and society”
This post, as a summary, will be about making a total life change to be about being secure. It’s a change in perception and action that requires time and effort but can (usually) be for the better.
As an example of security culture, imagine you are a political activist. It doesn’t matter what you’re an activist for, in this case. You have acquaintances and friends who are also activists, one would hope.
One day, you start a conversation with one of them. Midway through the conversation, they say, “Well, at the last protest I….” This is your time to hold up a hand and say, “Stop. I don’t want to know.”
Not because you genuinely don’t want to know. It’s probably a good story. But for your own safety and security, you shouldn’t know. Because if you know, you then have to, should that action be illegal, either A) lie to the police if or when you’re asked about it, or B) exercise your 5th amendment rights (supposing you’re in the USA). Neither of these are good options.
For IT professionals, we’re often trusted with information we, frankly, should never have known in the first place. Our time to hold up a hand and say, ” Stop. I don’t want to know.” is when anyone starts to recite a password to any system we do not directly have administrative rights to, or any system we do not absolutely require access to.
I have actually had people start to tell me their bank passwords. No thank you.
Should something happen, and it has, the first stop on anyone’s mental check list of “Who Done It?!” is going to be people they’ve given the password. And trusted individuals are given a pass, ex: Spouses. If I’m on the list, and not a trusted individual (and we’re never going to assume this), I will be receiving a call from the police.
I do not want a call from the police.
Even if I’ve done nothing wrong. Especially if I’ve done nothing wrong.
There’s a different topic in that, but it’s not for this blog on this website.
On the opposite side of this praxis (that is, opposite to ensuring you only know what you need to know), there is ensuring that others only know what they need to know, and do not know what they don’t need to know.
There are basic things, like: Don’t keep a physical record of your passwords, don’t say them out loud while typing, etc.
But further than that, there’s keeping logs.
System administrators already know this well. Logs are your friend. They prove who did what and where and when they did it. Anything you use that keeps logs, pay attention to them.
My bank, for example, sends me an email any time I login from any application or device, complete with that device’s ID and approximate location. I love this. But I’ve heard people complain about the constant emails associated with logging like this.
Until they get one when they haven’t logged in. Logs are your friend.
And, the final step in total praxis of security, is this: Shut your mouth(s).
That sounds really simple, but it’s that “(s)” part that’s important. You have more than one mouth. Or do you not also have a Facebook, YouTube, Twitter, LinkedIn, Instagram, Snapchat, Google Account, NewestSocialMediaPlatformHere, etc.?
I’ll give you a big hint about these services. The farm is free for the cows.
Did you know you can go into your Google account page and not only see a complete log of any voice command you’ve ever given your device, BUT LISTEN TO A COMPELTE RECORDING OF IT?
This applies to Amazon Alexa, too. Does this implicate Amazon or Google in some nefarious plot? Not really. Practically speaking, there’s no way for anyone (human) to listen to all of those voices, and there is, at best, an algorithm that listens for when someone cusses at their Alexa or Google home because it didn’t hear a command right, and tries to learn from that for better voice recognition.
But this does highlight something. As a culture, we’ve decided to just give away private information. We decided that’s an okay thing to do and haven’t considered the ramifications of it.
Twitter, for example, has a very powerful search API. If you don’t remember that terrible thing you said in September of 2010, but someone else sort of does, and wants to find it, and use it, well, it’s as easy as bringing up the helpful knowledge base article on the API, and then away they go!
Also, turn off location on your posts. C’mon, that’s just creepy, and it’s been discussed as an avenue for people wanting to break into your house to abuse.
Should you stop using social media? No. It’s actually an incredibly powerful and useful tool for interconnecting with everyone around you.
Should you be more aware of what you’re saying, or more importantly, giving away? Absolutely.
There’s even more to say on this topic, but that’s not necessarily for this blog, or this website. This post is more about the idea of engaging yourself in security culture and exercising good praxis of the ideas it presents.
This is a process. No one changes their habits overnight. But if you take your personal security seriously, you may find that you, at the very least, feel safer, though if I stopped you from being the sort of person who puts their phone number on Facebook publicly, I’ll count that a victory.
Stay safe online, and in the wide world.
~AJ
