4

The Tech Solidarity organization provides a list of basic security guidelines, described by Jeff Atwood as

... pure gold and has been vetted by many industry professionals ...

From that same organization, there is also a list of Security Guidelines for Congressional Campaigns (april 2019).

Here are a few quotes from that document:

  1. Uninstall all anti-virus software. ... The only exception is Windows Defender.

  2. You must use an iPhone, model 6 or later. Android phones are not safe to use.

  3. Use Google Chrome as your default browser on your laptop. ... Avoid Safari and Firefox

These seem like some pretty strong claims.

Unfortunately, no references are provided.

I've spent some time trying to find information that supports these claims, but what I've found seems either, old, inconclusive, or opinionated. For example, there's an interesting discussion about iPhone and Android phones here, but this does not deal with stock android. This discusses how antivirus software cannot protect against all threats, but doesn't say not to use any, and this explains how it is difficult to compare browser security.

Are the above guidelines all just opinionated, or does any consensus exist (among security experts) on these subjects?

Note, I'm asking for facts that either support or oppose these claims.

djvg
  • 453
  • 5
  • 10
  • Can you please [edit] your question to clarify that you are asking about these claims specifically and not just broadly about "some basic security guidelines"? –  Nov 25 '20 at 14:56
  • 1) Not sure if Windows Defender today is as good as other popular antivirus software, I personally wouldn't rely on it without further proof yet. 2) Unfortunately Android phones *are* definitely less secure on average, but note I said "Android phones", not Android alone. 3) Chrome clearly better than Firefox? I doubt it. – reed Nov 25 '20 at 15:16
  • @MechMK1: tried to clarify the title. Thanks. – djvg Nov 25 '20 at 15:25
  • @reed Sources would be good though –  Nov 25 '20 at 15:35
  • 2
    why waste time considering claims that are made without evidence? life's sort. – dandavis Nov 25 '20 at 18:42
  • @dandavis: You're right, but if there's any truth to these statements, I think that would be good to know. – djvg Nov 26 '20 at 07:53

3 Answers3

1

This group describes itself as:

Since 2018, the group has concentrated on fundraising from the tech community for candidates for public office.

It claims no knowledge about IT, but it suggests that its advice was found useful. Also, it provides advice for a specific group of people, in the quoted page, for congress members/candidates.

The reason why all the articles are inconclusive or heavily opinionated is that this is normal in our line of work. Very few read the IEEE transactions on computers or any scientific literature. And of course, many security incidents are not reported so statistics are not reliable. There is no real consensus on any of these subjects. For example: all anti-virus vendors produce statistics that anti-virus IS effective, with some underlying statistics.

Alternatives to anti-virus for keeping oneself safe provides a balanced view on anti-viruses.

It is a well-known fact that anti-virus consumes a lot of resources. That should not need any further proof. Others (like datapot.net) state, based on statistics that:

On average, antivirus software is only 25% successful at detecting malware.

Statistics on computer viruses and antivirus software show that, unfortunately, the malicious apps are winning the battle. Currently, “popular” malicious programs are having a field day, even against top-of-the-line antivirus software. There’s no such thing as a fully impenetrable wall; some viruses and trojans pass through completely undetected during the initial encounter with the antivirus.

The effectiveness of Code Signing seems mainly dependent on the signing process. Note that the enforcement of code signing is missing from the advice list given.

The bold statement:

Android phones are not safe to use.

is too general and the statement that IOS would be safe, is difficult to take seriously. Research Siri and its use of subcontractors to listen in, for example.

Browser advice seems more religious than based on reality. Real browser security seems more dependent on the use of plug-ins, Javascript (or, horror: still Flash!) and the likes. Note that ExpressVPN has a different view on the security; they have the following top 7:

  1. Tor Browser
  2. Firefox
  3. Brave
  4. Chrome
  5. Safari
  6. Opera
  7. Edge
schroeder
  • 125,553
  • 55
  • 289
  • 326
Ljm Dullaart
  • 2,007
  • 5
  • 11
1

I believe it is important to understand that these guidelines are supplementary material to their training.

Thank you for attending a training session! We covered a lot of ground, so these notes are meant to serve as a reference and reminder of the advice we gave you.

They do sound like opinions/preferences.

As mentioned in the guidelines, they don't just recommend using Chrome as is. They recommend adding some extensions to Chrome as well. That sounds reasonable to me.

While they did not provide any published references, they did provide the reasoning for these guidelines. I can't think of references off the top of my head but maybe they explained these points in the training?

Of course, it is your choice to believe them or not.

Limit
  • 3,236
  • 1
  • 16
  • 35
  • 1
    Thanks. You are right. Although similar claims are also made in the [basic security guidelines](https://techsolidarity.org/resources/basic_security.htm) document, which *is* a self contained document. – djvg Nov 26 '20 at 09:21
1

These are just personal preferences of these guys. Just look for instance to their advice about password manager. They suggest to use 1password which has following huge problems: it is closed source, so nobody knows what they are actually doing with your passwords; as a main option they suggest to store your passwords on their server, again, nobody knows who can read you passwords on their servers; even if stored on Dropbox, you cannot be sure that nobody else can decrypt and read your passwords.

Same about other recommendations. They are very arguable.

mentallurg
  • 10,256
  • 5
  • 28
  • 44