Don't obsess with security and privacy unless they are your core business

9 pointsposted 3 days ago
by amano-kenji

Item id: 46030857

18 Comments

vrighter

3 days ago

" Just constructing what seems to be a reasonably private and robust linux computer took at least a year of full-time effort."

How? I mean seriously, if it took one whole year to set up one linux system, then you must have close to no idea what you're doing. It takes a couple of minutes to install the OS, and another couple of hours (heck, make it days if you want to be extra thorough) to apply some hardening techniques.

Edit: Also, you can't buy "don't write code vulnerable to SQL injection" and you can't buy "Don't ever store passwords, plaintext or encrypted or whatever. You must never know any of your users' password". This to me indicates a naive wannabe vibe-coding their way to disaster. You can't buy "privacy and security" separately from your own product. They must be part of the core business, fundamentally part of the product's design

amano-kenji

2 days ago

That makes sense from a SaaS business owner because security and privacy are a part of software business.

However, I didn't specifically talk about software business. A medical doctor may be interested in mullvad VPN and run it in his own computer, but it doesn't make sense for him to spend a year on learning gentoo linux, setting up linux network namespaces with firejail application profiles for multiple VPNs for different applications, setting up a backdoor-free router out of a computer with Intel ME disabled, setting up a home VPN with the backdoor-free router, setting up a DNS server on that router, and so on. "High level" privacy is a huge full-time rabbit hole I could die in. There is an infinite rabbit hole in one field. At this level, system configuration becomes complex, and you want to learn how to automate reproducible system configuration with nixos or guix. Learning guile scheme and guix system can easily take 3 ~ 6 months of full-time effort on top of all these shit I mentioned. His doctor career would be over before he learns all that just to craft a private computer for himself.

An e-commerce store CEO would lose his shopify e-commerce store if he tried to do all these things I did for my computers. His job is to run an e-commerce store. It is not to spend the next few years full-time on learning linux commands, how to compile linux kernel on gentoo linux, how to set up guix user services, and so on. Before he gets all that, he will lose his e-commerce store.

I had to spend a month on writing a utility because my customized sway environment required it for audio GUI. How the hell did I end up writing a utility for "pipewire" audio GUI? Because KDE, GNOME, cinammon, XFCE, and other desktop environments were buggy as hell and I ended up with a customized sway environment. On top of that, I had to learn how to configure ALSA and pipewire with dot files. I hated learning how to configure pipewire with dot files. Linux desktop environment is still not ready for most people who just want things to work. Why the hell did I need to learn how to make xdg-desktop-portal backends work nicely with firejail? xdg-desktop-portal was another huge time sink. I hated learning about xdg-desktop-portal-gtk and xdg-desktop-portal-wlr and making them play nicely with web browsers in firejail. I had to learn all that because ALSA alone couldn't do basic things I wanted it to do. I also had to learn audio amplifiers and USB DACs because I couldn't stand shitty audio from my motherboard's internal headphone jack. It took months to tame linux audio according to my preferences. The cost of using a customized sway environment is basically your life.

It took months to "fully" tame all the quirks of my sway environment.

I just wanted some privacy, and I ended up doing a lot of things. When you do one thing, you don't just do one thing. You end up doing a lot of ancillary stuff. I ended up becoming very poor because I spent too much time on doing all these shit. It is death by thousand cuts. Security and privacy are just the tip of an iceberg which goes far beyond simple system crafting.

My "unintended" core specialty is crafting a private and robust personal computing environment.

One specialty can basically eat up nearly all of your time if you are not careful.

You don't know how long it takes to learn computer stuff basically from scratch. If they have a very good full-time tutor, they may learn the basic stuff quickly, but it genuinely takes more than a year to learn all the autistic OCD-level privacy shit along with all the ancillary stuff required for a "fully" robust computer system that's basically without a glitch at an OCD level.

The lesson is if you obsess with things outside your core specialty at autistic OCD levels, you will lose your core business whether it is a medical clinic, an e-commerce store, a restaurant, and so on.

In retrospect, if I was supposed to learn from scratch again, I would just install linux mint or buy a macbook, set up one VPN instance on my computer, implement browser isolation with multiple web browers, set up emacs org agenda, and call it a day. This way, your config is minimal, and you don't even want reproducible configuration management systems like nixos and guix.

I used to be an autistic geek. Now, I want a way out of the maze in my mind.

If I focused all that autistic obsession on becoming the best version of myself, I would be a multi-millionaire already.

vrighter

a day ago

And all that stuff you mentioned is stuff you can't buy. You can't buy a preconfigured router that fits your setup. You need to configure it yourself. And if it's the CEO who's provisioning servers and installing and configuring routers and setting up networking routes and crap like that, then there's your problem!

And if he's running an e-commerce store, then why the hell would he be stuggling with pipewire? What the hell is xdg-desktop-portal even used for when hosting a website. What does your audio obsession (nothing wrong with it, I have my own obsessions) making you fuck with amplifiers and DACs have to do with security in any way shape or form?

It really sounds like you started out with the conclusion of "This is boring, I don't want to do it" and finding reasons to justify it.

user

a day ago

[deleted]

lordkrandel

3 days ago

Thank you, for telling us what we should do. People can do whatever they want, at their expense. Maybe people don't want to become rich, but have a private life no one knows about, but people they voluntarily choose. Who are you ranting to? Who is the employee, friend or boss that unnerved you?

amano-kenji

3 days ago

I think it's much better to become rich and then buy security and privacy than to implement them with your manual labor.

Your time is a lot more valuable than your money if you actually spend your time correctly.

You can be a 6 million dollar race horse if you drive it well.

I don't think people actually want privacy and security over everything else. It's better to focus on earning a lot of money from what you really want to do and buy security and privacy.

lordkrandel

8 hours ago

You think so because you belong to the US groupthink. You cannot "buy" privacy and security, that's an illusion. Buy many workers' time making big fences and reviewing code, you're not "buying security". Anyway, privacy and security are rights for everybody, not only for the rich. Every developer should care and defend them. Otherwise you'll have to buy security and privacy for all the projects (and people) you care about. And that could become impossible, depending on how large your heart and scope are. If you become rich to just screw all the people that trusted you with a crappy product with no security, then to me you are just a fraudster.

amano-kenji

2 hours ago

I didn't say it from the perspective of a software business owner.

A medical clinic owner, a restaurant owner, an e-commerce store owner, and other business owners cannot spend much time on computer security and computer privacy. If you are not a business owner, then you are a janitor, a marketer, a store clerk, and so on. If a car salesman spent all his day on hardening his linux machine, he will become flat broke.

You can also buy some levels of security and privacy from purism and other similar companies. Buy a computer with Intel ME disabled from purism and other companies. Enable (mullvad) VPN, and implement browser isolation by installing multiple web browsers. Use a local password manager. However, you can go much further than that by configuring firejail and hardening firejail profiles through manual tweaking. You can also configure linux network namespaces and isolate applications in different network namespaces. There's even more. Security and privacy are an infinite rabbit hole. If you keep going in the infinite rabbit hole, you will grow old and die before you can do anything actually useful with your computer. Should a car salesman listen to you and learn about purism, Intel ME, firejail, browser isolation, VPN, apparmor, linux network namespaces, linux firewall, and so on? No! Hell no! Even if you are a software business owner or a programmer who is in charge of security and privacy, you cannot obsess with the infinite rabbit hole of security and privacy. If you spent years and years on linux kernel hardening, sandboxing techniques, linux network namespaces, and other things, then you won't be effective at all. As I said, it is an infinite rabbit hole, and you can be OCD about it to infinity. Infinite obsession with a specific aspect will kill everything you touch. You haven't stared into the infinite abyss, but I have. That's why you think people should obsess with security and privacy.

Also, if you are a software business owner, then you are not going to write code yourself. You are going to hire other coders. So, you have to buy security and privacy for your software product by buying programmer labor. If a business owner specifically pays programmers to work on security and privacy, then their software will have better security and privacy. But, I wasn't talking about a software business owner. I was talking about other kinds of business owners who may or may not want to harden their own personal computers. A restaurant owner cannot harden his personal linux system to the degree that I have, or he will lose his restaurant because he spent a year full-time on security and privacy.

I think the vast majority of people including car salesman, restaurant owners, and so on shouldn't obsess with security and privacy so much that they lose their jobs and their businesses. Security and privacy are basically a form of safety. If you are so paranoid about thugs and disasters and spend a year full-time on hardening your own house, then you will become very poor and lose financial security and financial freedom. If you obsess with safety too much, you will lose both freedom and safety. You should be rational about it, and "personal" computer safety should not be more than a small hobby if you run a business where "computer" isn't the core business. Businesses like medical clinic and restaurant. If you are a software business owner, then you should just pay coders to implement security and privacy because you can't specialize in many things and still be effective as a businessman. A businessman can't be an effective marketer if he has to write a lot of code.

There is a reason for division of labor and specialization. If you don't specialize in one thing, you will be flat broke. There are more than million specializations, and it's ludicrous to want to force people to obsess with one specialization. That's like saying everyone should learn how to play piano at expert levels. That doesn't mean you neglect security and privacy, but you should be rational about it and not make it more than a small hobby. If you have no profitable specialty, then natural selection will take you out.

Yes, everyone should learn martial arts at expert levels for self defense. Everyone should become an expert pianist because music is good? Martial artists would love to hear that. Learning martial arts takes years of dedicated efforts. A businessman can't be an expert martial artist, an expert piaist, a linux privacy expert, an expert businessman, and so on at the same time. If people listen to everyone else, then everyone has to be everything at the same time. That's impossible.

A few options I recommend

1. Don't care too much about privacy. Live as if there is nothing to hide. Then, you don't have to worry about leaks. You don't download movies. You don't download music. You don't distract yourself. You just focus on work.

2. Buy computers with Intel ME disabled from purism and other companies. Run (mullvad) VPN. Implement browser isolation. Use a local password manager. Call it a day.

Both options are viable. Option 2 can be done even by a restaurant owner although most people would just opt for option 1 unless they are interested in privacy and security.

l___l

3 days ago

I want privacy and security over everything else. This disproved your point.

user

3 days ago

[deleted]

whatevermom2

3 days ago

This was my stance as well about 1.5 year ago.

This is simply not true even when hyperoptimizing for cash.

I always had this gut feeling of using GrapheneOS and QubesOS but decided to go with an iPhone and MacOS because of this idea that I should optimize for cash first and then only I should buy private devices.

Truth is: I started ignoring my "tech intuition" and stopped enjoying programming at all, which obviously led to a decrease in both happiness and revenue.

I started picking up tech that I'm interested about (GrapheneOS, QubesOS, Rust) and I've had a big boost in productivity as a result.

Same can be said with AI adoption; I was forcing myself to use it to be more productive but it had the opposite effect given that it weakened the exceptional intuition that gave me my incredibly privileged position.

Some people need to just execute, but some people are meant to explore, learn and gather new ideas and innovations. Sure, I am not a R&D researcher but everything I learn our of pure joy ends up being useful to my coworkers who are more the "get shit down" type and don't bother learning new tech.

There is a cost to ignoring your intuition and taste! If you feel like implementing privacy and security into your product or your digital life, you will pay a cognitive price by ignoring it.

rl1987

a day ago

Security is like insurance - it is something you kind-of don't need until something bad happens and when it does, you wish you had it.

andyjohnson0

3 days ago

Please don't abuse Ask HN by using it as a blogging platform. Per the guidelines, it is intended for asking questions of the community.

moritzwarhier

3 days ago

I wanted to upvote this for the headline, because I think it's a valid point.

I did, but then reverted to no vote when I was at "if you want to become rich". So yeah the sandwich analogy and the headline are enough to make your point?

I read this page because I am curious, interested in IT and philosophy and want to be a tolerable software developer.

I know HN is a startup and SV site, so there's nothing wrong with talking about business ideas or wanting to become rich.

But if I wanted to read "get rich" slop, I'd read LinkedIn.

Also, you could replace "security" with any specialization in this text, same for replacing IT with any other business:

If you want to get rich with a sandwich shop, or selling any food really, it's crucial to set the right priorities. Gordon Ramsay doesn't bake his own bread! (...)

7222aafdcf68cfe

3 days ago

Well you'll learn a few things in your future, that's for sure. Good luck !

vrighter

3 days ago

and they're gonna learn them the hard way too.

codingdave

3 days ago

Why the false dichotomy? You can implement security and privacy without this whole "from ingredients" concept.

serf

3 days ago

>Buying things takes infinitely less time than building things from scratch.

> financial suicide.

man i'm sick of exaggeration.

anyway , generally speaking I don't try to hyperoptimize for producing cash. I'm not a machine. I appreciate security more than I do squeezing the last penny out of someone. I'm frugal, and it works out okay for me because the time I dont save by not paying people is spent doing things I already enjoy.

what's the point here? why would you bother with producing your own business instead of buying one? It takes infinite time or something -- I don't know, I didn't pay attention in econ.

I don't know if it matters, or if you'll ever see things this way, but value isn't cash. similarly, but not exactly : cash isn't value. Some of us prefer to produce value over cash -- and that confuses the hell out of some people.