History
I'm a Unix sysadmin by trade, and have spent the past 25 years of my career doing mostly that and network administration. My very first exposure to the world of free and open source software (though at that point it wasn't called that) was the wonderful world of Unix code that I found when I had my first network-connected workplace at uni. At that point an MS-Dos box with a network card that nobody knew what to do with. In a short time I had found an FTP server and was downloading code onto 3.5" floppies. Among them was a stack of 20-odd disks, on them Linux 0.96 which I carried home and started tinkering with on my i386SX.
During the years I have always had a Linux computer at home, until a time in the early 2000s when I moved to Mac OS X. The idea of a Unix system that was able to run shrink-wrapped software and that Just Worked[tm] without having to mess around with drivers and similar things was enticing. So I happily used various Macs for over 15 years. Since I spend most of my time in terminal windows, additions like Macports/Homebrew made the environment all the more comfortable. Apple hardware, while expensive, was far and above anything else in the Wintel world and lasted a great longer, so all was good.
Or was it?
Surveillance
In the latter half of the 2010s it became apparent that George Orwell was right all along, and the world was moving towards a dystopian society of surveillance, preemptive data collection, and ubiquitous erosion of privacy. Either that or my medications weren't working as well as they should.
Operating systems like Windows 10 spy on the user and transmit data (euphemistically described as "telemetry"). Even my beloved MacOS did it, although to a somewhat lesser degree. Applications record user activity and phone home. Cloud services mirror data with no oversight possible as to what hands this data passes through. Governments were openly pressuring software and hardware companies to provide backdoors through which user data could be obtained and encryption be circumvented. Subpoenas were issued to companies with a legal requirement to remain hush about them. And governments were openly contracting with companies like Finfisher and HackingTeam to provide so-called "Government Trojans" which can be deployed onto victims' computers to grab data before it could be encrypted. Online Email services had EULAs that openly permitted them to rifle through email contents for their own purposes.
In 2018 I concluded very personally that the state of the computing industry had decayed to a point where essentially no commercial vendor and service provider could be trusted anymore not to invade my privacy and not to become an aide - voluntarily or involuntarily - to nefarious third parties.
Now What?
Call me a member of the tinfoil hat brigade if you want, but I felt that something needed to be done about this for my own, personal computing.
This "something" bloomed into multiple "somethings":
- get rid of closed-source software as much as possible, both in the operating system as well as in the applications
- restrict wide-area network connectivity, e.g. through the use of firewalls on the network level as well as through applications that communicate only where necessary
- only use administrative rights where absolutely necessary, through a single admin (root) user
- restrict connectivity on a hardwarwe/firmware level as much as possible (e.g. considering Intel's Management Engine
- do not use any cloud storage or application hosting services
- run my own network services as required
- essentially a more-or-less thorough implementation of "zero trust computing"; the thoroughness being dictated by the tradeoff between comfortable use and privacy/security on a case-by-case basis
Safety in Numbers?
An interesting issue, especially concerning the world of commercial spying software like Finfisher, is the question of market share. These Trojans are developed to target personal computing devices, and follow market dynamics. Their primary targets are those systems that are most common, and that are most commonly used by the intended victims. That means the order of preference will be the various most common versions of Windows (7, 10, maybe XP), MacOS, and possibly ChromeOS. The remaining market for all other systems is comparably small -- Linux has less than 1% of desktop/laptop market share, the BSDs probably less than 1/100th of a percent, and everything else maybe another 1%. On smartphones the situation is similar, and if anything even less fragmented -- IOS and recent Android releases cover probably 99.5% of all smartphones.
So following this train of thought, simply by moving from one of the more popular to one of the more obscure operating systems I felt I was reducing my attack service considerably.
This sets the stage for what followed next...