What it changed about my other machines

Last in the six-post series on the Covert Cyber Deck. The deck as catalyst, not destination — what designing and living with it changed about how I look at my work laptop, my home network, the firm's estate, and the boards I advise.

Six months ago I started writing about a slate I was about to build. Five posts later it sits on my desk, works the way the design document said it would, and has done several jobs that justified the cost of building it.

This is the closing post. The deck did not turn out to be the point. The point was what the deck taught me about everything else.

The work laptop looks different now

When I open my work laptop in the morning I notice things I did not used to notice. I notice how many processes are running before I have signed in. I notice the boot sequence taking longer than the slate's twelve seconds — much longer — and I am no longer sure why. I notice the laptop's tendency to reach for whatever network it last saw, before I have decided whether I want it on a network. I notice that I do not know what is in the firmware of the keyboard.

None of this is to disparage the laptop. It is a perfectly good corporate device, managed by the firm's IT team, doing the job it was bought for. What changed is that I can now formulate the question what is this device for, and what does it do that it does not need to in a way I could not before. The slate is the standard against which the answer reads as uncomfortable.

I have not stopped using the laptop. I have changed which work I do on it.

The home network looks different now

I run a perfectly ordinary fibre line into a perfectly ordinary ISP-supplied router, with a perfectly ordinary collection of smart-home devices behind it. I had told myself for years that this was fine — that I am a cyber security person, that I am alert, that I keep things patched. The slate exposed how shallow that confidence was.

After living with USBGuard default-deny on the slate, I came home and watched the router's DHCP table for an evening. I counted nineteen devices, of which I could confidently describe the threat model for three. The smart speaker. The lightbulbs. The TV. The doorbell. The thermostat. The fridge. The two devices I cannot remember buying. The slate had ruined my ability to look at this list and shrug.

I am not going to claim I rewired my house. I have, since, done three things. I have moved the smart-home devices onto a separate VLAN. I have replaced the ISP router with one I can flash. And I have written down — in plain English, not a framework — what I am protecting against on the home network and what I am not. The third change is more important than the first two.

The firm's estate looks different now

This is the part that took the longest and hurt the most.

I run a cyber security firm. We protect organisations against, more or less, the things the slate is designed to protect itself against. We have a SOC, a detection stack, a vulnerability management programme, a threat-intel feed, an incident response process that has been exercised more than once. By industry standards we are not bad.

After the slate, the question I cannot stop asking is: how much of what we know about our own estate is something we have actually verified, and how much is something we have inherited from a vendor's marketing? The slate has a USB hub whose configuration I personally wrote into a SPI flash and personally verified by readback. The firm has hundreds of devices whose firmware nobody on the team has ever looked at. The slate's network presence is defined in one ufw configuration file I can read in a single sitting. The firm's network presence is defined across dozens of cloud service tenants, SaaS providers, identity federations, and inherited estates from the merger. The slate's threat model is six paragraphs long. The firm's threat model is — was — a deck.

I am rewriting the firm's threat model into sentences this quarter. I am asking the SOC team to pick the ten devices on the estate they are least confident they can describe, and put them at the top of the next quarter's plan. I am asking the executive team to do the same exercise individually, for the systems they personally rely on. It will not be quick. It will not be cheap. It will produce a firm that knows itself better than the firm did six months ago.

This is the change the slate made that the slate cannot take credit for. The slate did not give me the question. It gave me the discipline to keep asking it after the answer became inconvenient.

The boards look different now

The boards I sit on, and the boards I advise, ask me roughly the same set of questions every year. Are we secure? Are we compliant? Are we resilient? Where are we exposed? I have never been able to give a clean answer to any of them, because the questions themselves are too abstract for cleanness to be possible.

What I can do now, after the slate, is ask a different set of questions back.

Which of the systems we depend on can a named human on this executive team describe end to end?

Which of our suppliers are we trusting because we have looked, and which are we trusting because we have not looked?

If we had to write our threat model in plain English, not in a framework — what would be in it, and what would be missing?

Of the things we have decided not to protect against, do we know which they are, and have we written that down?

These are not friendly questions. They are not the questions a board chair wants to be asked at four in the afternoon on a Thursday. But they are the questions the slate trained me to ask, because they are the questions I have already had to answer for myself for one small computer.

The argument of the whole series is here. Most security failures at the firm level are failures of legibility — of nobody being able to say what is actually true about a system, what it depends on, what it is for, what it is not for. The slate is one machine I made legible to myself. The work, for boards and for executive teams and for cyber security firms, is to make more of the world legible to the people accountable for it.

What the slate is now

It is a tool, and it works. It is the device I take to events where I do not want my main computing equipment present. It is the device I do RF survey work on. It is the device I write on when the writing is hard. It is the device I am writing this post on.

It is also a six-month exercise in answering, for one machine, the question I have been asking for years. Owning a computer end-to-end is more work than I expected. It is also less work than I expected, because most of the work is thinking, and thinking is cheap compared to most of the things that pretend to be security.

One last ask

This series was always going to end with the question I asked at the beginning. I will ask it again now.

If you have read the six posts, the only thing I would ask you to do — the only thing — is to open a text editor and write down, in plain English, what one device you rely on is for, what it depends on, what it is protecting you against, and what it is not. One paragraph. Not for anyone else. For yourself.

The hardware is optional. The discipline is not.

That is the series.